Skip to content

fix(tls): handle bracketed IPv6 hostnames in checkServerIdentity#30662

Open
Abioy wants to merge 1 commit into
oven-sh:mainfrom
Abioy:syy_fix_ipv6
Open

fix(tls): handle bracketed IPv6 hostnames in checkServerIdentity#30662
Abioy wants to merge 1 commit into
oven-sh:mainfrom
Abioy:syy_fix_ipv6

Conversation

@Abioy

@Abioy Abioy commented May 14, 2026

Copy link
Copy Markdown

Strip IPv6 literal brackets before net.isIP() check, since net.isIP("[::1]") returns 0. The brackets are a URL convention, not part of the actual address, so they must be removed before IP validation and matching.

What does this PR do?

Fixes tls.checkServerIdentity rejecting valid IPv6 hostnames in bracket form like [::1] or [2001:db8::1]. The brackets are a URL convention for IPv6 literals, not part of the actual IP address. Previously, net.isIP("[::1]") returned 0 (not an IP), causing the function to incorrectly treat it as a DNS name and always fail validation.

How did you verified your code works?

  • Stripped-bracket hostnames now pass net.isIP() correctly: [::1]::1isIP=6
  • All 42 existing test cases in test-tls-check-server-identity.js continue to pass
  • Added 6 new IPv6 test cases covering: bare ::1, bracketed [::1], uppercase [2001:DB8::1], mismatched addresses, and bracketed IP against DNS-only SAN

@Abioy
fix(tls): handle bracketed IPv6 hostnames in checkServerIdentity
15b0b3f 
Strip IPv6 literal brackets before net.isIP() check, since
net.isIP("[::1]") returns 0. The brackets are a URL convention,
not part of the actual address, so they must be removed before
IP validation and matching.
claude[bot]
claude Bot reviewed May 14, 2026
View reviewed changes

@claude claude Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review

This pull request is from a fork — automated review is disabled. A repository maintainer can comment @claude review to run a one-time review.

@coderabbitai

coderabbitai Bot commented May 14, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 846fac6e-0b80-44ad-a4b4-b41d4b656d7e

📥 Commits

Reviewing files that changed from the base of the PR and between b8ecc78 and 15b0b3f.

📒 Files selected for processing (2)
  • src/js/node/tls.ts
  • test/js/node/test/parallel/test-tls-check-server-identity.js

Walkthrough

This PR fixes IPv6 server identity validation in Node.js TLS by stripping bracket literals ([ and ]) from IPv6 hostnames before IP validation, ensuring they are correctly matched against certificate IP SANs. New test cases validate IPv6 handling across direct and bracketed formats, matching and mismatching scenarios.

Changes

IPv6 Server Identity Validation

Layer / File(s) Summary
IPv6 literal handling with bracket stripping
src/js/node/tls.ts, test/js/node/test/parallel/test-tls-check-server-identity.js		 checkServerIdentity now strips leading and trailing brackets from IPv6 hostnames before calling net.isIP and comparing against certificate IP SANs. Test vectors cover unbracketed and bracketed IPv6 formats, correct IP matching, mismatched SAN failures, and DNS-only SAN error paths.
🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: fixing TLS checkServerIdentity to handle bracketed IPv6 hostnames, which is the core purpose of this pull request.
Description check ✅ Passed The description includes both required template sections ('What does this PR do?' and 'How did you verify your code works?') with detailed, substantive content addressing the fix, its rationale, and comprehensive test verification.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

  • Generate code and open pull requests
  • Plan features and break down work
  • Investigate incidents and troubleshoot customer tickets together
  • Automate recurring tasks and respond to alerts with triggers
  • Summarize progress and report instantly

Built for teams:

  • Shared memory across your entire org—no repeating context
  • Per-thread sandboxes to safely plan and execute work
  • Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Abioy
Abioy commented May 14, 2026
View reviewed changes

@Abioy Abioy left a comment

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed in CodeRabbit Change Stack

@Abioy Abioy mentioned this pull request May 14, 2026
Open
@github-actions github-actions Bot mentioned this pull request May 14, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Abioy