Fix implementation of ContainsCIDR to allow non-equal addresses

Kubernetes-commit: b7c80f7f1592356e796a64958bec9a05e0fe3ba1
2025-02-26 14:24:58 +00:00 · 2025-02-26 14:24:58 +00:00 · 64791740ae
parent 6a65641968
commit 64791740ae
2 changed files with 11 additions and 2 deletions
--- a/pkg/cel/library/cidr.go
+++ b/pkg/cel/library/cidr.go
@ -229,8 +229,7 @@ func cidrContainsCIDR(arg ref.Val, other ref.Val) ref.Val {
 		return types.MaybeNoSuchOverloadErr(other)
 	}

-	equalMasked := cidr.Prefix.Masked() == netip.PrefixFrom(containsCIDR.Prefix.Addr(), cidr.Prefix.Bits())
-	return types.Bool(equalMasked && cidr.Prefix.Bits() <= containsCIDR.Prefix.Bits())
+	return types.Bool(cidr.Overlaps(containsCIDR.Prefix) && cidr.Prefix.Bits() <= containsCIDR.Prefix.Bits())
 }

 func prefixLength(arg ref.Val) ref.Val {
--- a/pkg/cel/library/cidr_test.go
+++ b/pkg/cel/library/cidr_test.go
@ -151,11 +151,21 @@ func TestCIDR(t *testing.T) {
 			expr:         `cidr("192.168.0.0/24").containsCIDR(cidr("192.168.0.0/25"))`,
 			expectResult: trueVal,
 		},
+		{
+			name:         "contains CIDR ipv4 (CIDR) (/32)",
+			expr:         `cidr("192.168.0.0/24").containsCIDR(cidr("192.168.0.1/32"))`,
+			expectResult: trueVal,
+		},
 		{
 			name:         "does not contain IP ipv4 (CIDR)",
 			expr:         `cidr("192.168.0.0/24").containsCIDR(cidr("192.168.0.0/23"))`,
 			expectResult: falseVal,
 		},
+		{
+			name:         "does not contain IP ipv4 (CIDR) (/32)",
+			expr:         `cidr("192.168.0.0/24").containsCIDR(cidr("192.169.0.1/32"))`,
+			expectResult: falseVal,
+		},
 		{
 			name:         "contains CIDR ipv4 (string)",
 			expr:         `cidr("192.168.0.0/24").containsCIDR("192.168.0.0/25")`,