Restrict the /64 for IPv6 when adding an automatic IP restriction from a scanner action (#22853)

2024-11-14 17:04:46 +01:00 · 2024-11-14 17:04:46 +01:00 · 9598345b3b
--- a/src/olympia/scanners/actions.py
+++ b/src/olympia/scanners/actions.py
@ -1,3 +1,4 @@
+import ipaddress
 from datetime import datetime, timedelta

 from olympia.constants.scanners import MAD
@ -90,8 +91,16 @@ def _delay_auto_approval_indefinitely_and_restrict(
        )

    for ip in ips:
+        ip_object = ipaddress.ip_address(ip)
+        # For IPv4, restrict the /32, i.e. the exact IP.
+        # For IPv6, restrict the /64, otherwise the restriction would be
+        # trivial to bypass. We pass strict=False to ip_network() to make the
+        # ipaddress module ignore the hosts bits from the ip after the prefix
+        # length is applied.
+        prefix_len = 32 if ip_object.version == 4 else 64
+        network = ipaddress.ip_network((ip, prefix_len), strict=False)
        IPNetworkUserRestriction.objects.get_or_create(
-            network=f'{ip}/32',
+            network=network,
            restriction_type=restriction_type,
            defaults=restriction_defaults,
        )
--- a/src/olympia/scanners/tests/test_actions.py
+++ b/src/olympia/scanners/tests/test_actions.py
@ -392,6 +392,45 @@ class TestActions(TestCase):
                f'Addon {addon.pk} Version {addon.current_version.pk}.'
            )

+    def test_delay_auto_approval_indefinitely_and_restrict_with_ipv6(self):
+        user1 = user_factory(last_login_ip='2001:0db8:4815:1623:4200:1337:cafe:d00d')
+        user2 = user_factory(last_login_ip='')
+        user3 = user_factory()
+        addon = addon_factory(users=[user1, user2])
+        FileUpload.objects.create(
+            addon=addon,
+            user=user3,
+            version=addon.current_version.version,
+            ip_address='1.2.3.4',
+            source=amo.UPLOAD_SOURCE_DEVHUB,
+            channel=amo.CHANNEL_LISTED,
+        )
+        version = addon.current_version
+        assert not version.needshumanreview_set.filter(is_active=True).exists()
+        assert addon.auto_approval_delayed_until is None
+        _delay_auto_approval_indefinitely_and_restrict(version=version, rule=None)
+
+        # For IPv6, the /64 was restricted.
+        assert IPNetworkUserRestriction.objects.filter(
+            network='2001:db8:4815:1623::/64',
+            restriction_type=RESTRICTION_TYPES.ADDON_SUBMISSION,
+        ).exists()
+        # For IPv4, the /32 (equivalent to that single IP) was restricted.
+        assert IPNetworkUserRestriction.objects.filter(
+            network='1.2.3.4/32', restriction_type=RESTRICTION_TYPES.ADDON_SUBMISSION
+        ).exists()
+        assert not IPNetworkUserRestriction.objects.filter(network=None).exists()
+        assert not IPNetworkUserRestriction.objects.filter(network='').exists()
+        assert not IPNetworkUserRestriction.objects.filter(
+            restriction_type=RESTRICTION_TYPES.ADDON_APPROVAL
+        ).exists()
+
+        for restriction in IPNetworkUserRestriction.objects.all():
+            assert restriction.reason == (
+                'Automatically added because of a match by rule "None" on '
+                f'Addon {addon.pk} Version {addon.current_version.pk}.'
+            )
+
    def test_delay_auto_approval_indefinitely_and_restrict_already_restricted(self):
        user1 = user_factory(last_login_ip='5.6.7.8')
        user2 = user_factory(last_login_ip='')