IP CIDR Ranges IPv4 IPv6 Mismatches (#33246)

demisto · Mar 7, 2024 · 1d870eb · 1d870eb
1 parent 86c7f1c
commit 1d870eb
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 14 deletions.
diff --git a/Packs/FiltersAndTransformers/ReleaseNotes/1_2_63.md b/Packs/FiltersAndTransformers/ReleaseNotes/1_2_63.md
@@ -0,0 +1,6 @@
+
+#### Scripts
+
+##### IsInCidrRanges
+
+- Fixed an issue where using different protocol versions (IPv4 and IPv6), which could return erroneous results.
diff --git a/Packs/FiltersAndTransformers/Scripts/IsInCidrRanges/IsInCidrRanges.js b/Packs/FiltersAndTransformers/Scripts/IsInCidrRanges/IsInCidrRanges.js
@@ -71,24 +71,31 @@ function validateCIDR(cidrRange) {
   return true; // CIDR range is well-formed
 }
 
+function getCIDRNetworkAddress(cidrRange) {
+  return cidrRange.split('/')[0]
+}
+
+function getCIDRSubnetMask(cidrRange) {
+  return cidrRange.split('/')[1]
+}
+
 function isIPInCIDR(ipAddress, cidrRange) {
   if (!validateCIDR(cidrRange)) {
       return false;
   }
 
-  var parts = cidrRange.split('/');
-  var networkAddress = parts[0];
-  var subnetMask = parts[1];
+  var networkAddress = getCIDRNetworkAddress(cidrRange);
+  var cidrSubnetMask = getCIDRSubnetMask(cidrRange);
 
   // Convert IP address and network address to binary
   var ipBinary = ipToBinary(ipAddress);
   var networkBinary = ipToBinary(networkAddress);
 
   // Get the network part of the IP address based on the subnet mask
-  var networkPart = ipBinary.slice(0, parseInt(subnetMask, 10));
+  var networkPart = ipBinary.slice(0, parseInt(cidrSubnetMask, 10));
 
   // Check if the network parts match
-  return networkPart === networkBinary.slice(0, parseInt(subnetMask, 10));
+  return networkPart === networkBinary.slice(0, parseInt(cidrSubnetMask, 10));
 }
 
 function isIPInAnyCIDR(ipAddresses, cidrRanges) {
@@ -98,7 +105,12 @@ for (let i = 0; i < ipAddresses.length; i++) {
   isInRange = false;
 
   for (let j = 0; j < cidrRanges.length; j++) {
-    if (isIPInCIDR(ipAddresses[i], cidrRanges[j])) {
+
+    // Mismatches are always false
+    if ((!isIPv6(ipAddresses[i]) &&  isIPv6(getCIDRNetworkAddress(cidrRanges[j])))
+     || ( isIPv6(ipAddresses[i]) && !isIPv6(getCIDRNetworkAddress(cidrRanges[j])))) {
+      results[i] = 'False';
+    } else if (isIPInCIDR(ipAddresses[i], cidrRanges[j])) {
       isInRange = true;
       results[i] = 'True';
       break;

diff --git a/Packs/FiltersAndTransformers/Scripts/IsInCidrRanges/IsInCidrRanges.yml b/Packs/FiltersAndTransformers/Scripts/IsInCidrRanges/IsInCidrRanges.yml
@@ -6,17 +6,17 @@ script: ''
 type: javascript
 tags:
 - filter
-comment: Determines whether an IPv4 or IPv6 address is contained in at least one of the comma-delimited CIDR ranges. Multiple IPv4/IPv6 addresses can be passed comma-delimited and each will be tested.
+comment: Determines whether an IPv4 or IPv6 address is contained in at least one of the comma-delimited CIDR ranges. Multiple IPv4/IPv6 addresses can be passed comma-delimited and each will be tested. A mix of IPv4 and IPv6 addresses will always return false.
 enabled: true
 args:
 - name: left
   required: true
   isArray: true
-  description: The IPv4/IPv6 address (or comma-delimited addresses) to check.
+  description: A comma-separated list of IPv4 or IPv6 addresses to search for.
 - name: right
   required: true
   isArray: true
-  description: A comma-delimited list of IPv4/IPv6 ranges in CIDR notation against which to match.
+  description: A comma-separated list of IPv4 or IPv6 ranges in CIDR notation against which to match.
 scripttarget: 0
 runas: DBotWeakRole
 tests:

diff --git a/Packs/FiltersAndTransformers/Scripts/IsInCidrRanges/README.md b/Packs/FiltersAndTransformers/Scripts/IsInCidrRanges/README.md
@@ -1,5 +1,5 @@
-Determines whether an IPv4 address is in part of at least one of the comma-delimited CIDR ranges given. Multiple IPv4
-addresses can be passed as comma-delimited list to be checked.
+Determines whether an IPv4 or IPv6 address is in part of at least one of the comma-delimited CIDR ranges given. Multiple IPv4/IPv6
+addresses can be passed as comma-delimited list to be checked. A mix of IPv4 and IPv6 addresses will always return false.
 
 ## Script Data
 
@@ -17,5 +17,5 @@ addresses can be passed as comma-delimited list to be checked.
 
 | **Argument Name** | **Description** |
 | --- | --- |
-| left | The IPv4 address to search for. |
-| right | A comma-separated list of IPv4 ranges in CIDR notation against which to match. |
+| left | The IPv4 or IPv6 address to search for. |
+| right | A comma-separated list of IPv4 or IPv6 ranges in CIDR notation against which to match. |
diff --git a/Packs/FiltersAndTransformers/pack_metadata.json b/Packs/FiltersAndTransformers/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Filters And Transformers",
     "description": "Frequently used filters and transformers pack.",
     "support": "xsoar",
-    "currentVersion": "1.2.62",
+    "currentVersion": "1.2.63",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",