[BUG] Mixed IPv4/IPv6 allowed_networks can crash safe-mode target validation

[eshaanag]

Summary

_net_within_allowed_networks() raises an uncaught TypeError when a single-IP target and an operator-configured CIDR in settings.allowed_networks use different IP versions. The multi-address-network branch already checks net.version == allowed_net.version, but the single-IP branch calls subnet_of()/overlaps() without that guard.

I found this while auditing IPv6 validation behavior on current main (f3a493b). I could not find an existing issue or PR for the mixed-version crash. This is separate from #204: it does not change which ranges are allowed or blocked, DNS behavior, redirects, or network-policy precedence.

Why this matters

SecuScan explicitly supports IPv4 and IPv6 network policy. An operator who adds an IPv6 CIDR to SECUSCAN_ALLOWED_NETWORKS can cause otherwise valid IPv4 safe-mode target validation to fail with an exception instead of returning a validation result. In an API request path this can surface as a server error.

Reproduction steps

From the repository root:

PYTHONPATH=. python -c 'from backend.secuscan.validation import validate_target; from backend.secuscan.config import settings; settings.allowed_networks=["fc00::/7"]; print(validate_target("127.0.0.1", safe_mode=True))'

Actual behavior

TypeError: 127.0.0.1/32 and fc00::/7 are not of the same version

The exception comes from the single-address branch in backend/secuscan/validation.py:

if net.subnet_of(allowed_net) or net.overlaps(allowed_net):

Expected behavior

Mixed IPv4/IPv6 entries should be skipped safely. Validation should continue checking same-version entries and return the normal (is_valid, error_message) tuple without raising.

Scope

Suggested files:

• backend/secuscan/validation.py
• testing/backend/unit/test_validation.py

Out of scope:

• Changing default allow/deny ranges
• SSRF/DNS/redirect behavior from [SECURITY] Add SSRF guardrails for scanner targets and redirects #204/[Security][Advanced] validate_target() checks hostname strings only — DNS rebinding bypasses all blocked-network guards #286
• Network-policy precedence

Definition of done

• Add an IP-version guard to the single-IP allowed_networks CIDR comparison path
• Preserve wildcard and same-version CIDR behavior
• Add regression tests for IPv4 target + IPv6 allowlist and IPv6 target + IPv4 allowlist
• Add a positive mixed-list test proving a later same-version entry can still allow the target
• Existing validation tests pass

This looks like a focused intermediate backend/security correctness fix. I would like to work on it under GSSoC 2026; please assign it to me if the scope is accepted.

[anshul23102]

Interested in contributing to this under NSoC'26. This is a valuable issue addressing important functionality/quality. Happy to take this on.

/assign

[anshul23102]

Interested in contributing under NSoC'26. This is a valuable issue. Happy to work on it.

/assign

[anshul23102]

Hi @utksh1 👋

I would like to work on this issue. This contribution is being made under NSoC'26 (Nexus Spring of Code 2026).

I have reviewed the issue and am ready to implement the solution. Could you please assign this to me?

Thank you!

[jyotsnak1603]

Hi @utksh1,

I would like to work on this issue under GSSoC 2026.

I reviewed the bug report and the root cause appears to be the missing IP-version check in the single-IP allowed_networks validation path before calling subnet_of()/overlaps(). My plan is to add the version guard, preserve the current same-version behavior, and include regression tests covering mixed IPv4/IPv6 allowlists as described in the issue.

I have experience working with Python backend logic and test-driven fixes, and I would be happy to contribute this improvement.

Could you please assign this issue to me?

Thank you.