From 85c0c1ea222d2c70662de5a03ecaf04b6498006e Mon Sep 17 00:00:00 2001 From: Yuriy Andamasov Date: Thu, 14 May 2026 00:43:41 +0300 Subject: ci(doc-linter): check every IP on a line, not just the first MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `lint_ipv4()` and `lint_ipv6()` used `re.search`, which returns only the first match. A line like Set DNS forwarder 192.0.2.1 then fall back to 8.8.8.8 flagged nothing because `192.0.2.1` (RFC 5737 documentation range) is allowed and the search stopped there. The real public IP `8.8.8.8` slipped through despite being exactly the case the linter was meant to catch. Switch both functions to `re.finditer` and walk every match: return on the first disallowed address; only return None when all matches on the line are allowed (private / multicast / non-global). Also fix the casing of "private space" in both error messages — was "private Space" with a stray capital. Verified with 7 hand-coded cases (allowed + public mixes, boundary cases, IPv6 RFC 3849 / Google DNS). All pass. Tracked as items 1, 2, and 10 of the rolling-side cleanup backlog from PR #2014 / #2019 / #2020 reviews. 🤖 Generated by [robots](https://vyos.io) --- scripts/doc-linter.py | 41 +++++++++++++++++++++++++---------------- 1 file changed, 25 insertions(+), 16 deletions(-) (limited to 'scripts') diff --git a/scripts/doc-linter.py b/scripts/doc-linter.py index 2214a851..3903e2cf 100644 --- a/scripts/doc-linter.py +++ b/scripts/doc-linter.py @@ -89,32 +89,41 @@ def is_suppression_marker(line, kind, in_md_fence, in_rst_codeblock, def lint_ipv4(cnt, line): - """Flag IPv4 addresses outside RFC 5737 / private / multicast ranges.""" - ip = re.search(IPV4ADDR, line, re.I) - if ip is not None: - ip = ipaddress.ip_address(ip.group().strip(' ')) + """Flag IPv4 addresses outside RFC 5737 / private / multicast ranges. + + Iterates over every IPv4 match on the line — a line with an + allowed address followed by a real public address must not + pass just because the first match is allowed. + """ + for match in re.finditer(IPV4ADDR, line, re.I): + ip = ipaddress.ip_address(match.group().strip(' ')) # https://docs.python.org/3/library/ipaddress.html#ipaddress.IPv4Address.is_private if ip.is_private: - return None + continue if ip.is_multicast: - return None + continue if ip.is_global is False: - return None - return (f"Use IPv4 reserved for Documentation (RFC 5737) or private Space: {ip}", cnt, 'error') + continue + return (f"Use IPv4 reserved for Documentation (RFC 5737) or private space: {ip}", cnt, 'error') + return None def lint_ipv6(cnt, line): - """Flag IPv6 addresses outside RFC 3849 / private / multicast ranges.""" - ip = re.search(IPV6ADDR, line, re.I) - if ip is not None: - ip = ipaddress.ip_address(ip.group().strip(' ')) + """Flag IPv6 addresses outside RFC 3849 / private / multicast ranges. + + Iterates over every IPv6 match on the line — same all-matches + discipline as `lint_ipv4`. + """ + for match in re.finditer(IPV6ADDR, line, re.I): + ip = ipaddress.ip_address(match.group().strip(' ')) if ip.is_private: - return None + continue if ip.is_multicast: - return None + continue if ip.is_global is False: - return None - return (f"Use IPv6 reserved for Documentation (RFC 3849) or private Space: {ip}", cnt, 'error') + continue + return (f"Use IPv6 reserved for Documentation (RFC 3849) or private space: {ip}", cnt, 'error') + return None def lint_linelen(cnt, line): -- cgit v1.2.3