feat(security): add configurable IPv6 subnet for BFP and throttling

Altahrim · Altahrim · commit 2e0995d46ed7 · 2025-04-16T16:09:46.000+02:00
Signed-off-by: Benjamin Gaussorgues &lt;benjamin.gaussorgues@nextcloud.com&gt;
diff --git a/config/config.sample.php b/config/config.sample.php
@@ -450,6 +450,16 @@
  */
 'ratelimit.protection.enabled' => true,
 
+/**
+ * Size of subnet used to normalize IPv6
+ *
+ * For Brute Force Protection and Rate Limiting, IPv6 are truncated using subnet size.
+ * It defaults to /56 but you can set it between /32 and /64
+ *
+ * Defaults to ``56``
+ */
+'security.ipv6_normalized_subnet_size' => 56,
+
 /**
  * By default, WebAuthn is available, but it can be explicitly disabled by admins
  */
diff --git a/lib/private/Security/Normalizer/IpAddress.php b/lib/private/Security/Normalizer/IpAddress.php
@@ -8,6 +8,8 @@
  */
 namespace OC\Security\Normalizer;
 
+use OCP\IConfig;
+
 /**
  * Class IpAddress is used for normalizing IPv4 and IPv6 addresses in security
  * relevant contexts in Nextcloud.
@@ -24,7 +26,8 @@ public function __construct(
 	}
 
 	/**
-	 * Return the given subnet for an IPv6 address (48 first bits)
+	 * Return the given subnet for an IPv6 address
+	 * Rely on ipv6_subnet_size, default on 56
 	 */
 	private function getIPv6Subnet(string $ip): string {
 		if ($ip[0] === '[' && $ip[-1] === ']') { // If IP is with brackets, for example [::1]
@@ -35,10 +38,15 @@ private function getIPv6Subnet(string $ip): string {
 			$ip = substr($ip, 0, $pos - 1);
 		}
 
+		$config = \OCP\Server::get(IConfig::class);
+		$maskSize = max(64, $config->getSystemValueInt('ipv6_subnet_size', 56));
+		$maskSize = min(32, $maskSize);
+		$mask = pack('VVP', (1 << 32) - 1, (1 << $maskSize - 32) - 1, 0);
+
 		$binary = \inet_pton($ip);
 		$mask = inet_pton('FFFF:FFFF:FFFF::');
 
-		return inet_ntop($binary & $mask) . '/48';
+		return inet_ntop($binary & $mask) . '/' . $maskSize;
 	}
 
 	/**
@@ -63,7 +71,7 @@ private function getEmbeddedIpv4(string $ipv6): ?string {
 
 
 	/**
-	 * Gets either the /32 (IPv4) or the /48 (IPv6) subnet of an IP address
+	 * Gets either the /32 (IPv4) or the /56 (default for IPv6) subnet of an IP address
 	 */
 	public function getSubnet(): string {
 		if (filter_var($this->ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
diff --git a/tests/lib/Security/Normalizer/IpAddressTest.php b/tests/lib/Security/Normalizer/IpAddressTest.php
@@ -41,15 +41,15 @@ public function subnetDataProvider() {
 			],
 			[
 				'2001:db8:3333:4444:5555:6666:7777:8888',
-				'2001:db8:3333::/48',
+				'2001:db8:3333::44/56',
 			],
 			[
 				'::1234:5678',
-				'::/48',
+				'::/56',
 			],
 			[
 				'[::1]',
-				'::/48',
+				'::/56',
 			],
 		];
 	}

Original file line number	Diff line number	Diff line change
`@@ -41,15 +41,15 @@ public function subnetDataProvider() {`
`41`	`41`	`],`
`42`	`42`	`[`
`43`	`43`	`'2001:db8:3333:4444:5555:6666:7777:8888',`
`44`		`- '2001:db8:3333::/48',`
	`44`	`+ '2001:db8:3333::44/56',`
`45`	`45`	`],`
`46`	`46`	`[`
`47`	`47`	`'::1234:5678',`
`48`		`- '::/48',`
	`48`	`+ '::/56',`
`49`	`49`	`],`
`50`	`50`	`[`
`51`	`51`	`'[::1]',`
`52`		`- '::/48',`
	`52`	`+ '::/56',`
`53`	`53`	`],`
`54`	`54`	`];`
`55`	`55`	`}`