From a5bb6d27515f1862984161eda57a92a3836cd4e7 Mon Sep 17 00:00:00 2001
From: Henri Vasserman <henv@hot.ee>
Date: Fri, 14 Nov 2025 05:39:50 +0200
Subject: [PATCH] test: ipv4 in v6 address checking (#1271)

* test: ipv4 in v6 address checking

* fix(lib/policy): unmap 4in6 addresses in RemoteAddrChecker

Signed-off-by: Xe Iaso <me@xeiaso.net>

* docs: update CHANGELOG

Signed-off-by: Xe Iaso <me@xeiaso.net>

* docs: perfect CHANGELOG

Signed-off-by: Xe Iaso <me@xeiaso.net>

---------

Signed-off-by: Xe Iaso <me@xeiaso.net>
Co-authored-by: Xe Iaso <me@xeiaso.net>
---
 docs/docs/CHANGELOG.md     |  5 +++--
 lib/policy/checker.go      |  5 +++++
 lib/policy/checker_test.go | 14 ++++++++++++++
 3 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md
index d5486cb..e6bd0fc 100644
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@@ -15,8 +15,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Allow more OCI registry clients [based on feedback](https://github.com/TecharoHQ/anubis/pull/1253#issuecomment-3506744184).
 - Expose services directory in the embedded `(data)` filesystem.
-- Add Ukrainian locale ([#1044](https://github.com/TecharoHQ/anubis/pull/1044))
-- Allow Renovate as an OCI registry client
+- Add Ukrainian locale ([#1044](https://github.com/TecharoHQ/anubis/pull/1044)).
+- Allow Renovate as an OCI registry client.
+- Properly handle 4in6 addresses so that IP matching works with those addresses.
 
 ## v1.23.1: Lyse Hext - Echo 1
 
diff --git a/lib/policy/checker.go b/lib/policy/checker.go
index 4f5ad55..8b88a5b 100644
--- a/lib/policy/checker.go
+++ b/lib/policy/checker.go
@@ -51,6 +51,11 @@ func (rac *RemoteAddrChecker) Check(r *http.Request) (bool, error) {
 		return false, fmt.Errorf("%w: %s is not an IP address: %w", ErrMisconfiguration, host, err)
 	}
 
+	// Convert IPv4-mapped IPv6 addresses to IPv4
+	if addr.Is6() && addr.Is4In6() {
+		addr = addr.Unmap()
+	}
+
 	return rac.prefixTable.Contains(addr), nil
 }
 
diff --git a/lib/policy/checker_test.go b/lib/policy/checker_test.go
index 6cc3e0d..ce27a78 100644
--- a/lib/policy/checker_test.go
+++ b/lib/policy/checker_test.go
@@ -21,6 +21,20 @@ func TestRemoteAddrChecker(t *testing.T) {
 			ok:    true,
 			err:   nil,
 		},
+		{
+			name:  "match_ipv4_in_ipv6",
+			cidrs: []string{"0.0.0.0/0"},
+			ip:    "::ffff:1.1.1.1",
+			ok:    true,
+			err:   nil,
+		},
+		{
+			name:  "match_ipv4_in_ipv6_hex",
+			cidrs: []string{"0.0.0.0/0"},
+			ip:    "::ffff:101:101",
+			ok:    true,
+			err:   nil,
+		},
 		{
 			name:  "match_ipv6",
 			cidrs: []string{"::/0"},