Fix InetAddressMatchers#matchExternal to exclude null and any local addresses

therepanic · therepanic · commit 4fdf9419d01c · 2026-04-14T20:29:40.000+03:00
This commit fixes the incorrect behavior of `InetAddressMatchers#matchExternal`, where `matchExternal` returns an incorrect answer when passing a null / local address argument, which is not reliable. Closes: gh-19072 Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
diff --git a/core/src/main/java/org/springframework/security/util/matcher/InetAddressMatchers.java b/core/src/main/java/org/springframework/security/util/matcher/InetAddressMatchers.java
@@ -31,6 +31,7 @@
  * strategies for IP addresses.
  *
  * @author Rob Winch
+ * @author Andrey Litvitski
  * @since 7.1
  */
 public final class InetAddressMatchers {
@@ -256,6 +257,9 @@ public boolean matches(@Nullable InetAddress address) {
 			if (address == null) {
 				return false;
 			}
+			if (address.isAnyLocalAddress()) {
+				return true;
+			}
 			if (address.isLoopbackAddress() || address.isLinkLocalAddress() || address.isSiteLocalAddress()) {
 				return true;
 			}
@@ -335,6 +339,9 @@ private ExternalInetAddressMatcher() {
 
 		@Override
 		public boolean matches(@Nullable InetAddress address) {
+			if (address == null) {
+				return false;
+			}
 			return !this.internalMatcher.matches(address);
 		}
 
diff --git a/core/src/test/java/org/springframework/security/util/matcher/InetAddressMatchersTests.java b/core/src/test/java/org/springframework/security/util/matcher/InetAddressMatchersTests.java
@@ -31,6 +31,7 @@
  * Tests for {@link InetAddressMatchers}.
  *
  * @author Rob Winch
+ * @author Andrey Litvitski
  */
 class InetAddressMatchersTests {
 
@@ -51,6 +52,12 @@ void matchInternalWhenInvokedThenReturnsBuilder() {
 		assertThat(builder).isNotNull();
 	}
 
+	@Test
+	void matchesWhenInetAddressNullThenReturnsFalse() {
+		InetAddressMatcher matcher = InetAddressMatchers.matchExternal().build();
+		assertThat(matcher.matches((InetAddress) null)).isFalse();
+	}
+
 	@Nested
 	class BuilderTests {
 
@@ -410,6 +417,13 @@ void matchesWhenIpv6PublicThenReturnsFalse() throws Exception {
 			assertThat(matcher.matches(InetAddress.getByName("2001:4860:4860::8888"))).isFalse();
 		}
 
+		@ParameterizedTest
+		@ValueSource(strings = { "0.0.0.0", "::" })
+		void matchesWhenWildcardAddressThenReturnsFalse(String address) throws Exception {
+			InetAddressMatcher matcher = InetAddressMatchers.matchExternal().build();
+			assertThat(matcher.matches(InetAddress.getByName(address))).isFalse();
+		}
+
 	}
 
 	@Nested

Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,7 @@`
`31`	`31`	`* strategies for IP addresses.`
`32`	`32`	`*`
`33`	`33`	`* @author Rob Winch`
	`34`	`+ * @author Andrey Litvitski`
`34`	`35`	`* @since 7.1`
`35`	`36`	`*/`
`36`	`37`	`public final class InetAddressMatchers {`
`@@ -256,6 +257,9 @@ public boolean matches(@Nullable InetAddress address) {`
`256`	`257`	`if (address == null) {`
`257`	`258`	`return false;`
`258`	`259`	`}`
	`260`	`+ if (address.isAnyLocalAddress()) {`
	`261`	`+ return true;`
	`262`	`+ }`
`259`	`263`	`if (address.isLoopbackAddress() \|\| address.isLinkLocalAddress() \|\| address.isSiteLocalAddress()) {`
`260`	`264`	`return true;`
`261`	`265`	`}`
`@@ -335,6 +339,9 @@ private ExternalInetAddressMatcher() {`
`335`	`339`
`336`	`340`	`@Override`
`337`	`341`	`public boolean matches(@Nullable InetAddress address) {`
	`342`	`+ if (address == null) {`
	`343`	`+ return false;`
	`344`	`+ }`
`338`	`345`	`return !this.internalMatcher.matches(address);`
`339`	`346`	`}`
`340`	`347`