vertexproject · vEpiphyte · Sep 24, 2024 · Sep 9, 2024 · Sep 9, 2024 · Sep 9, 2024
diff --git a/synapse/common.py b/synapse/common.py
@@ -21,6 +21,7 @@
 import builtins
 import tempfile
 import warnings
+import ipaddress
 import functools
 import itertools
 import threading
@@ -68,6 +69,12 @@
     logger.warning('* See PyYAML docs (https://pyyaml.org/wiki/PyYAMLDocumentation) for tips on resolving this issue.   *')
     logger.warning('*****************************************************************************************************')
 
+if version < (3, 11, 10):
+    # FIXME REMOTE PRINT
+    print(f'FALLLING BACK TO VENDORED IPADDRESS LIBRARY: {version}')
+    # Fallback to using the vendored IPaddress library
+    import synapse.vendor.cpython.ipaddress as ipaddress
+
 def now():
     '''
     Get the current epoch time in milliseconds.

diff --git a/synapse/lib/chop.py b/synapse/lib/chop.py
@@ -1,5 +1,4 @@
 import binascii
-import ipaddress
 
 import regex
 

diff --git a/synapse/lib/layer.py b/synapse/lib/layer.py
@@ -62,7 +62,6 @@
 import struct
 import asyncio
 import logging
-import ipaddress
 import contextlib
 import collections
 
@@ -87,6 +86,9 @@
 
 from synapse.lib.msgpack import deepcopy
 
+# Use the ipaddress module we import from s_common
+ipaddress = s_common.ipaddress
+
 logger = logging.getLogger(__name__)
 
 import synapse.lib.msgpack as s_msgpack

diff --git a/synapse/lib/scrape.py b/synapse/lib/scrape.py
@@ -7,7 +7,6 @@
 
 import idna
 import regex
-import ipaddress
 import unicodedata
 
 import synapse.exc as s_exc
@@ -21,6 +20,8 @@
 
 import synapse.lib.crypto.coin as s_coin
 
+# Use the ipaddress module we import from s_common
+ipaddress = s_common.ipaddress
 
 logger = logging.getLogger(__name__)
 

diff --git a/synapse/lib/stormlib/ipv6.py b/synapse/lib/stormlib/ipv6.py
@@ -1,11 +1,12 @@
 import logging
-import ipaddress
-
 
 import synapse.exc as s_exc
+import synapse.common as s_common
 
 import synapse.lib.stormtypes as s_stormtypes
 
+# Use the ipaddress module we import from s_common
+ipaddress = s_common.ipaddress
 logger = logging.getLogger(__name__)
 
 @s_stormtypes.registry.registerLib

diff --git a/synapse/models/inet.py b/synapse/models/inet.py
@@ -1,8 +1,9 @@
 import socket
 import asyncio
 import hashlib
+import inspect
 import logging
-import ipaddress
+import functools
 import email.utils
 import urllib.parse
 
@@ -21,6 +22,10 @@
 import synapse.lookup.iana as s_l_iana
 
 logger = logging.getLogger(__name__)
+
+# Use the ipaddress module we import from s_common
+ipaddress = s_common.ipaddress
+
 drivre = regex.compile(r'^\w[:|]')
 fqdnre = regex.compile(r'^[\w._-]+$', regex.U)
 srv6re = regex.compile(r'^\[([a-f0-9\.:]+)\](?::(\d+))?$', regex.IGNORECASE)
@@ -803,6 +808,11 @@ def postTypeInit(self):
         s_types.Str.postTypeInit(self)
         self.setNormFunc(str, self._normPyStr)
 
+        self._parseaddr = email.utils.parseaddr
+        argspec = inspect.getfullargspec(self._parseaddr)
+        if 'strict' in argspec.kwonlyargs:
+            self._parseaddr = functools.partial(self._parseaddr, strict=False)
+
     def _normPyStr(self, valu):
 
         # remove quotes for normalized version
@@ -811,7 +821,7 @@ def _normPyStr(self, valu):
         valu = ' '.join(valu.split())
 
         try:
-            name, addr = email.utils.parseaddr(valu)
+            name, addr = self._parseaddr(valu)
         except Exception as e:  # pragma: no cover
             # not sure we can ever really trigger this with a string as input
             mesg = f'email.utils.parsaddr failed: {str(e)}'

diff --git a/synapse/tests/test_model_inet.py b/synapse/tests/test_model_inet.py
@@ -1290,6 +1290,15 @@ async def test_rfc2822_addr(self):
             self.len(2, await core.nodes('inet:rfc2822:addr^=unittest1'))
             self.len(1, await core.nodes('inet:rfc2822:addr^=unittest12'))
 
+            # CVE-2023-27043 related behavior
+            # DISCUSS Do we want to retain the OLD behavior or use the new strict behavior?
+            nodes = await core.nodes('[inet:rfc2822:addr?="[email protected]]<[email protected]>"]')
+            self.len(1, nodes)
+            # This is the python <=3.11.9 behavior or the behavior with strict=False
+            self.eq(nodes[0].ndef[1], '[email protected]')
+            # This is the 3.11.10+ behavior or the behavior with strict=True
+            # self.eq(nodes[0].ndef[1], '[email protected]]<[email protected]>')
+
     async def test_server(self):
         formname = 'inet:server'
         data = (
@@ -3364,3 +3373,15 @@ async def test_model_inet_service(self):
                 :channel -> inet:service:channel
                 +:name="/r/synapse"
             '''))
+
+    async def test_model_ipaddress_regression(self):
+        # TODO DATA MODEL MIGRATION
+        # TODO IPV6 VARIANT
+        async with self.getTestCore() as core:
+            q = '''
+            init { $l = () }
+            [inet:ipv4=192.0.0.9 inet:ipv4=192.0.0.0 inet:ipv4=192.0.0.255] $l.append(:type)
+            fini { return ( $l ) }
+            '''
+            resp = await core.callStorm(q)
+            self.eq(resp, ['unicast', 'private', 'private'])