From 85736471bfb8a939d0c337208f6e324232642fa7 Mon Sep 17 00:00:00 2001
From: Thomas Dupas <thomas.dupas@dnsbelgium.be>
Date: Thu, 10 Mar 2022 15:07:19 +0100
Subject: [PATCH] bump netty to current package (fixes CVE-2019-20444,
 CVE-2019-20445, CVE-2015-2156, CVE-2019-16869, CVE-2021-37136,
 CVE-2021-37137) * migrate from netty CIDR (which no longer exists) to netty
 IpSubnetFilter for ip in cidr matching

---
 pom.xml                                       |  4 +-
 .../resolver/AbstractResolverCheck.java       | 19 ++----
 .../entrada/enrich/resolver/FastIpSubnet.java | 19 +++---
 .../enrich/resolver/FastIpV6Subnet.java       | 59 -------------------
 .../entrada/support/PerformanceTest.java      | 15 ++---
 5 files changed, 26 insertions(+), 90 deletions(-)
 delete mode 100644 src/main/java/nl/sidnlabs/entrada/enrich/resolver/FastIpV6Subnet.java

diff --git a/pom.xml b/pom.xml
index 3f0a33c..236bf8a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -286,8 +286,8 @@
 
 		<dependency>
 			<groupId>io.netty</groupId>
-			<artifactId>netty</artifactId>
-			<version>3.10.6.Final</version>
+			<artifactId>netty-all</artifactId>
+			<version>4.1.58.Final</version>
 		</dependency>
 
 		<dependency>
diff --git a/src/main/java/nl/sidnlabs/entrada/enrich/resolver/AbstractResolverCheck.java b/src/main/java/nl/sidnlabs/entrada/enrich/resolver/AbstractResolverCheck.java
index fc707dd..e9c4dcf 100644
--- a/src/main/java/nl/sidnlabs/entrada/enrich/resolver/AbstractResolverCheck.java
+++ b/src/main/java/nl/sidnlabs/entrada/enrich/resolver/AbstractResolverCheck.java
@@ -51,7 +51,7 @@
 public abstract class AbstractResolverCheck implements DnsResolverCheck {
 
   private List<FastIpSubnet> matchers4 = new ArrayList<>();
-  private List<FastIpV6Subnet> matchers6 = new ArrayList<>();
+  private List<FastIpSubnet> matchers6 = new ArrayList<>();
 
   @Value("${entrada.location.persistence}")
   private String workDir;
@@ -137,7 +137,7 @@ private void load(File file) {
     lines
         .stream()
         .filter(s -> s.contains(":"))
-        .map(this::v6SubnetFor)
+        .map(this::subnetFor)
         .filter(Objects::nonNull)
         .forEach(s -> matchers6.add(s));
 
@@ -154,16 +154,6 @@ private FastIpSubnet subnetFor(String address) {
     return null;
   }
 
-  private FastIpV6Subnet v6SubnetFor(String address) {
-    try {
-      return new FastIpV6Subnet(address);
-    } catch (UnknownHostException e) {
-      log.error("Cannot create subnet for: {}", address, e);
-    }
-
-    return null;
-  }
-
   protected abstract List<String> fetch();
 
   private boolean isFileAvailable(File file) {
@@ -232,9 +222,8 @@ private boolean checkv4(String address, InetAddress inetAddress) {
   }
 
   private boolean checkv6(String address, InetAddress inetAddress) {
-    IPv6Address v6 = IPv6Address.fromInetAddress(inetAddress);
-    for (FastIpV6Subnet sn : matchers6) {
-      if (sn.contains(v6)) {
+    for (FastIpSubnet sn : matchers6) {
+      if (sn.contains(inetAddress)) {
         // addToCache(address);
         return true;
       }
diff --git a/src/main/java/nl/sidnlabs/entrada/enrich/resolver/FastIpSubnet.java b/src/main/java/nl/sidnlabs/entrada/enrich/resolver/FastIpSubnet.java
index b6f0da9..7e1911e 100644
--- a/src/main/java/nl/sidnlabs/entrada/enrich/resolver/FastIpSubnet.java
+++ b/src/main/java/nl/sidnlabs/entrada/enrich/resolver/FastIpSubnet.java
@@ -1,14 +1,17 @@
 package nl.sidnlabs.entrada.enrich.resolver;
 
 import java.net.InetAddress;
+import java.net.InetSocketAddress;
 import java.net.UnknownHostException;
-import org.jboss.netty.handler.ipfilter.CIDR;
+
+import io.netty.handler.ipfilter.IpFilterRuleType;
+import io.netty.handler.ipfilter.IpSubnetFilterRule;
 import lombok.Getter;
 
 @Getter
 public class FastIpSubnet implements Comparable<FastIpSubnet> {
 
-  private final CIDR cidr;
+  private final IpSubnetFilterRule cidr;
   private String cidrString;
 
   public FastIpSubnet() {
@@ -16,16 +19,18 @@ public FastIpSubnet() {
   }
 
   /**
-   * Create IpSubnet using the CIDR or normal Notation<BR>
+   * Create IpSubnet using the CIDR Notation<BR>
    * i.e.:<br>
    * IpSubnet subnet = new IpSubnet("10.10.10.0/24"); or<br>
-   * IpSubnet subnet = new IpSubnet("10.10.10.0/255.255.255.0"); or<br>
    * IpSubnet subnet = new IpSubnet("1fff:0:0a88:85a3:0:0:0:0/24");
    *
    * @param netAddress a network address as string.
    */
   public FastIpSubnet(String netAddress) throws UnknownHostException {
-    cidr = CIDR.newCIDR(netAddress);
+    String[] split = netAddress.split("/");
+    String cidr = split[0];
+    int cidrPrefix = Integer.parseInt(split[1]);
+    this.cidr = new IpSubnetFilterRule(cidr, cidrPrefix, IpFilterRuleType.ACCEPT);
     cidrString = cidr.toString();
   }
 
@@ -39,7 +44,7 @@ public boolean contains(InetAddress inetAddress) {
     if (cidr == null) {
       return false;
     }
-    return cidr.contains(inetAddress);
+    return cidr.matches(new InetSocketAddress(inetAddress, 0));
   }
 
   @Override
@@ -63,6 +68,6 @@ public int hashCode() {
 
   /** Compare two IpSubnet */
   public int compareTo(FastIpSubnet o) {
-    return cidrString.compareTo(o.getCidrString());
+    return cidr.compareTo(o.getCidr());
   }
 }
diff --git a/src/main/java/nl/sidnlabs/entrada/enrich/resolver/FastIpV6Subnet.java b/src/main/java/nl/sidnlabs/entrada/enrich/resolver/FastIpV6Subnet.java
deleted file mode 100644
index 0dcd616..0000000
--- a/src/main/java/nl/sidnlabs/entrada/enrich/resolver/FastIpV6Subnet.java
+++ /dev/null
@@ -1,59 +0,0 @@
-package nl.sidnlabs.entrada.enrich.resolver;
-
-import java.net.UnknownHostException;
-import org.jboss.netty.handler.ipfilter.CIDR;
-import com.googlecode.ipv6.IPv6Address;
-import com.googlecode.ipv6.IPv6AddressRange;
-import lombok.Getter;
-
-@Getter
-public class FastIpV6Subnet {
-
-  private final IPv6AddressRange range;
-
-  public FastIpV6Subnet() {
-    range = null;
-  }
-
-  public FastIpV6Subnet(String netAddress) throws UnknownHostException {
-    CIDR cidr = CIDR.newCIDR(netAddress);
-
-    range = IPv6AddressRange
-        .fromFirstAndLast(IPv6Address.fromInetAddress(cidr.getBaseAddress()),
-            IPv6Address.fromInetAddress(cidr.getEndAddress()));
-
-  }
-
-  /**
-   * Compares the given InetAddress against the Subnet and returns true if the ip is in the
-   * subnet-ip-range and false if not.
-   *
-   * @return returns true if the given IP address is inside the currently set network.
-   */
-  public boolean contains(IPv6Address address) {
-    if (range == null) {
-      return false;
-    }
-    return range.contains(address);
-  }
-
-  @Override
-  public String toString() {
-    return range.toString();
-  }
-
-  @Override
-  public boolean equals(Object o) {
-    if (!(o instanceof FastIpV6Subnet)) {
-      return false;
-    }
-    FastIpV6Subnet ipSubnet = (FastIpV6Subnet) o;
-    return ipSubnet.range.equals(range);
-  }
-
-  @Override
-  public int hashCode() {
-    return range.hashCode();
-  }
-
-}
diff --git a/src/test/java/nl/sidnlabs/entrada/support/PerformanceTest.java b/src/test/java/nl/sidnlabs/entrada/support/PerformanceTest.java
index 95d4e66..128c56e 100644
--- a/src/test/java/nl/sidnlabs/entrada/support/PerformanceTest.java
+++ b/src/test/java/nl/sidnlabs/entrada/support/PerformanceTest.java
@@ -1,10 +1,11 @@
 package nl.sidnlabs.entrada.support;
 
 import static org.junit.jupiter.api.Assertions.assertTrue;
-import java.net.InetAddress;
-import org.jboss.netty.handler.ipfilter.CIDR;
+import java.net.InetSocketAddress;
+
+import io.netty.handler.ipfilter.IpFilterRuleType;
+import io.netty.handler.ipfilter.IpSubnetFilterRule;
 import org.junit.jupiter.api.Test;
-import com.google.common.net.InetAddresses;
 import com.googlecode.ipv6.IPv6Address;
 import com.googlecode.ipv6.IPv6AddressRange;
 import nl.sidnlabs.dnslib.util.DomainName;
@@ -47,7 +48,7 @@ public void testIpv6() throws Exception {
         .fromFirstAndLast(IPv6Address.fromString("2a00:1450:4013::"),
             IPv6Address.fromString("2a00:1450:4013:ffff:ffff:ffff:ffff:ffff"));
 
-    InetAddress addr = InetAddresses.forString("2a00:1450:4013:0:0:0:0:8844");
+    InetSocketAddress addr = new InetSocketAddress("2a00:1450:4013:0:0:0:0:8844", 0);
 
     IPv6Address addr1 = IPv6Address.fromString("2a00:1450:4013:0:0:0:0:8844");
 
@@ -58,13 +59,13 @@ public void testIpv6() throws Exception {
     long time1 = System.currentTimeMillis() - start;
     System.out.println(time1);
 
-    CIDR cidr1 = CIDR.newCIDR("2a00:1450:4013::/48");
-    // CIDR cidr2 = CIDR.newCIDR("fe80::226:2dff:fefa:ffff");
+    IpSubnetFilterRule cidr1 = new IpSubnetFilterRule("2a00:1450:4013::", 48, IpFilterRuleType.ACCEPT);
+    // IpSubnetFilterRule cidr2 = new IpSubnetFilterRule("fe80::226:2dff:fefa:ffff", 128, IpFilterRuleType.ACCEPT);
 
 
     start = System.currentTimeMillis();
     for (int i = 0; i < 100000; i++) {
-      cidr1.contains(addr);
+      cidr1.matches(addr);
     }
     long time2 = System.currentTimeMillis() - start;
     System.out.println(time2);