(ozone) branch master updated: HDDS-13673. Bump commons-validator to 1.10.0 (#9020)

adoroszlai Wed, 24 Sep 2025 12:18:48 -0700

This is an automated email from the ASF dual-hosted git repository.

adoroszlai pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ozone.git



The following commit(s) were added to refs/heads/master by this push:
     new 86ee18ff2bb HDDS-13673. Bump commons-validator to 1.10.0 (#9020)
86ee18ff2bb is described below

commit 86ee18ff2bb8e6ba53a94b696f6b655e45f2ef29
Author: Doroszlai, Attila <[email protected]>
AuthorDate: Wed Sep 24 21:18:32 2025 +0200

    HDDS-13673. Bump commons-validator to 1.10.0 (#9020)
    
    Co-authored-by: Istvan Fajth <[email protected]>
---
 .../org/apache/hadoop/ozone/OzoneSecurityUtil.java | 40 ++++++++++++++++++++--
 pom.xml                                            |  2 +-
 2 files changed, 39 insertions(+), 3 deletions(-)

diff --git 
a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneSecurityUtil.java
 
b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneSecurityUtil.java
index 1d8b69fb9b4..76ce8ebd917 100644
--- 
a/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneSecurityUtil.java
+++ 
b/hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/OzoneSecurityUtil.java
@@ -24,6 +24,7 @@
 
 import java.io.File;
 import java.io.IOException;
+import java.net.Inet6Address;
 import java.net.InetAddress;
 import java.net.NetworkInterface;
 import java.nio.file.Path;
@@ -108,8 +109,8 @@ public static List<InetAddress> 
getValidInetsForCurrentHost()
           InetAddress addr = enumAdds.nextElement();
 
           String hostAddress = addr.getHostAddress();
-          if (!INVALID_IPS.contains(hostAddress)
-              && ipValidator.isValid(hostAddress)) {
+          if (!INVALID_IPS.contains(hostAddress) && 
ipValidator.isValid(hostAddress)
+              && !isScopedOrMaskingIPv6Address(addr)) {
             LOG.info("Adding ip:{},host:{}", hostAddress, addr.getHostName());
             hostIps.add(addr);
           } else {
@@ -122,6 +123,41 @@ public static List<InetAddress> 
getValidInetsForCurrentHost()
     return hostIps;
   }
 
+  /**
+   * Determines if the supplied address is an IPv6 address, with a defined 
scope-id and/or with a defined prefix length.
+   * <p>
+   * This method became necessary after Commons Validator was upgraded from 
1.6 version to 1.10. In 1.10 version the
+   * IPv6 addresses with a scope-id and/or with a prefix specifier became 
valid IPv6 addresses, but as these features
+   * are changing the string representation to do not represent only the 16 
octet that specifies the address, the
+   * string representation can not be used as it is as a SAN extension in 
X.509 anymore as in RFC-5280 this type of
+   * Subject Alternative Name is exactly 4 octets in case of an IPv4 address, 
and 16 octets in case of an IPv6 address.
+   * BouncyCastle does not have support to deal with these in an IPAddress 
typed GeneralName, so we need to keep the
+   * previous behaviour, and skip IPv6 addresses with a prefix length and/or a 
scope-id.
+   * <p>
+   * According to RFC-4007 and the InetAddress contract the scope-id is at the 
end of the address' strin
+   * representation, separated by a '%' character from the address.
+   * According to RFC-4632 there is a possibility to specify a prefix length 
at the end of the address to specify
+   * routing related information. RFC-4007 specifies the prefix length to come 
after the scope-id.
+   * <p>
+   *
+   * @param addr the InetAddress to check
+   * @return if the InetAddress is an IPv6 address and if so it contains a 
scope-id and/or a prefix length.
+   * @see <a href="https://datatracker.ietf.org/doc/html/rfc4007";>RFC-4007 - 
Scoped IPv6 Addresses</a>
+   * @see <a 
href="https://datatracker.ietf.org/doc/html/rfc4632#section-5.1";>RFC-4632 - 
CIDR addressing strategy -
+   *        prefix length</a>
+   * @see <a 
href="https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6";>RFC-5280 - 
SAN description</a>
+   * @see <a 
href="https://issues.apache.org/jira/browse/VALIDATOR-445";>VALIDATOR-445 - 
Commons Validator change</a>
+   * @see <a href="https://github.com/bcgit/bc-java/issues/2024";>BouncyCastle 
issue discussion about scoped IPv6
+   *        addresses</a>
+   */
+  public static boolean isScopedOrMaskingIPv6Address(InetAddress addr) {
+    if (addr instanceof Inet6Address) {
+      String hostAddress = addr.getHostAddress();
+      return hostAddress.contains("/") || hostAddress.contains("%");
+    }
+    return false;
+  }
+
   /**
    * Convert list of string encoded certificates to list of X509Certificate.
    * @param pemEncodedCerts
diff --git a/pom.xml b/pom.xml
index 96bda536f80..fec8c5ccb0e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -62,7 +62,7 @@
     <commons-math3.version>3.6.1</commons-math3.version>
     <commons-net.version>3.11.1</commons-net.version>
     <commons-text.version>1.13.1</commons-text.version>
-    <commons-validator.version>1.6</commons-validator.version>
+    <commons-validator.version>1.10.0</commons-validator.version>
     <compile-testing.version>0.23.0</compile-testing.version>
     <copy-rename-maven-plugin.version>1.0.1</copy-rename-maven-plugin.version>
     <curator.version>4.2.0</curator.version>


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

(ozone) branch master updated: HDDS-13673. Bump commons-validator to 1.10.0 (#9020)

Reply via email to