Update geoip databases to include data about documentation ranges

internal/fields/validate.go

@@ -1256,10 +1256,10 @@ func (v *Validator) parseSingleElementValue(key string, definition FieldDefiniti
 	return nil
 }
 
-// IsDocumentation reports whether ip is a reserved address for documentation,
+// isDocumentation reports whether ip is a reserved address for documentation,
 // according to RFC 5737 (IPv4 Address Blocks Reserved for Documentation) and
 // RFC 3849 (IPv6 Address Prefix Reserved for Documentation).
-func IsDocumentation(ip net.IP) bool {
+func isDocumentation(ip net.IP) bool {
 	if ip4 := ip.To4(); ip4 != nil {
 		// Following RFC 5737, Section 3. Documentation Address Blocks which says:
 		//   The blocks 192.0.2.0/24 (TEST-NET-1), 198.51.100.0/24 (TEST-NET-2),
@@ -1279,6 +1279,7 @@ func IsDocumentation(ip net.IP) bool {
 // The set of allowed IPs are:
 // - private IPs as described in RFC 1918 & RFC 4193
 // - public IPs allowed by MaxMind for testing
+// - Reserved IPs for documentation RFC 5737 and RFC 3849
 // - 0.0.0.0 and 255.255.255.255 for IPv4
 // - 0:0:0:0:0:0:0:0 and ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff for IPv6
 func (v *Validator) isAllowedIPValue(s string) bool {
@@ -1295,7 +1296,7 @@ func (v *Validator) isAllowedIPValue(s string) bool {
 
 	if ip.IsUnspecified() ||
 		ip.IsPrivate() ||
-		IsDocumentation(ip) ||
+		isDocumentation(ip) ||
 		ip.IsLoopback() ||
 		ip.IsLinkLocalUnicast() ||
 		ip.IsLinkLocalMulticast() ||

internal/fields/validate_test.go

@@ -6,6 +6,7 @@ package fields
 
 import (
 	"encoding/json"
+	"net"
 	"os"
 	"path/filepath"
 	"sort"
@@ -1184,3 +1185,87 @@ func readSampleEvent(t *testing.T, path string) json.RawMessage {
 	require.NoError(t, err)
 	return c
 }
+
+func Test_IsAllowedIPValue(t *testing.T) {
+	cases := []struct {
+		title      string
+		ip         string
+		allowedIps []string
+		expected   bool
+	}{
+		{
+			title:    "private ipv4",
+			ip:       "192.168.1.2",
+			expected: true,
+		},
+		{
+			title:    "private ipv4 other range",
+			ip:       "10.2.2.2",
+			expected: true,
+		},
+		{
+			title:    "documentation IPv4",
+			ip:       "192.0.2.10",
+			expected: true,
+		},
+		{
+			title:    "documentation IPv6",
+			ip:       "2001:0DB8:1000:1000:1000:1000:1000:1000",
+			expected: true,
+		},
+		{
+			title:    "unspecified ipv4",
+			ip:       "0.0.0.0",
+			expected: true,
+		},
+		{
+			title:    "unspecified ipv6",
+			ip:       "0:0:0:0:0:0:0:0",
+			expected: true,
+		},
+		{
+			title:    "ip allowed CIDR",
+			ip:       "89.160.20.115",
+			expected: true,
+			allowedIps: []string{
+				"89.160.20.112/28",
+			},
+		},
+		{
+			title:    "not valid ipv4",
+			ip:       "216.160.83.57",
+			expected: false,
+			allowedIps: []string{
+				"89.160.20.112/28",
+			},
+		},
+		{
+			title:    "not valid ipv6",
+			ip:       "2002:2002:1000:1000:1000:1000:1000:1000",
+			expected: false,
+			allowedIps: []string{
+				"89.160.20.112/28",
+			},
+		},
+	}
+
+	for _, c := range cases {
+		t.Run(c.title, func(t *testing.T) {
+			allowedCIDRs := []*net.IPNet{}
+			for _, cidr := range c.allowedIps {
+				_, cidr, err := net.ParseCIDR(cidr)
+				require.NoError(t, err)
+				allowedCIDRs = append(allowedCIDRs, cidr)
+			}
+			v := Validator{
+				disabledDependencyManagement: true,
+				enabledAllowedIPCheck:        true,
+				allowedCIDRs:                 allowedCIDRs,
+			}
+
+			allowed := v.isAllowedIPValue(c.ip)
+			assert.Equal(t, c.expected, allowed)
+		})
+	}
+
+}