Skip to content

Bug report: IP Address extraction is not consistent when IPv4 address contains leading zeros #2008

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ericli-splunk opened this issue Apr 1, 2025 · 1 comment
Open

Bug report: IP Address extraction is not consistent when IPv4 address contains leading zeros #2008

ericli-splunk opened this issue Apr 1, 2025 · 1 comment
Assignees
@gchqdev364
Labels
bug

Comments

@ericli-splunk
Copy link
Contributor

Describe the bug
When an IPv4 address contains a leading 0, many tools treat it as octal representation (e.g. https://superuser.com/a/857618). However, when extracting IP addresses using CyberChef, some octal IP addresses are extracted (e.g. 011.012.013.014), but some are not (e.g. 0377.0377.0377.0377).

To Reproduce
Steps to reproduce the behaviour or a link to the recipe / input used to cause the bug:

  1. Go to https://gchq.github.io/CyberChef/#recipe=Extract_IP_addresses(true,false,false,false,false,false)&input=OS4xMC4xMS4xMgowMTEuMDEyLjAxMy4wMTQKCjI1NS4yNTUuMjU1LjI1NQowMzc3LjAzNzcuMDM3Ny4wMzc3Cg
  2. See that 011.012.013.014 appears in the Output, but not 0377.0377.0377.0377.

Expected behaviour
Either both 011.012.013.014 and 0377.0377.0377.0377 appear in the Output, or neither.

Screenshots
Image

Desktop (if relevant, please complete the following information):

  • OS: macOS
  • Browser: Chrome 134
  • CyberChef version: 10.19.4

Additional context
The root cause is likely this regular expression:

CyberChef/src/core/operations/ExtractIPAddresses.mjs

Line 68 in d3357d2

ipv4 = "(?:(?:\\d|[01]?\\d\\d|2[0-4]\\d|25[0-5])\\.){3}(?:25[0-5]|2[0-4]\\d|[01]?\\d\\d|\\d)(?:\\/\\d{1,2})?",

@gchqdev364 gchqdev364 self-assigned this May 12, 2025
@gchqdev364 gchqdev364 mentioned this issue May 12, 2025
Merged
gchqdev364 added a commit that referenced this issue May 12, 2025
@gchqdev364
Merge pull request #2041 from gchq/octal-ip-addresses
d751117 
Addresses bug report #2008
Added explicit support for octal IP addresses.
Changed approach to IPv4 regex to be string manipulation generated.
Added some unit tests for IP address parsing - probably not full coverage.
Added lookahead and lookbehind tricks to resolve warned issue that 1.2.3.256 would still be extracted as 1.2.3.25. Now only accepts valid IP addresses. Warning replaced with clause about infinite length dotted decimal forms.
@gchqdev364
Copy link
Member

I think I've fixed this issue in the above PR. Please re-raise if problem persists.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gchqdev364 gchqdev364

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gchqdev364 @ericli-splunk