IP and WAF: Add CIDR support

[nateweller]

Proposed changes:

• Adds support to the ip package for handling CIDR ranges in all utility functions.
• Adds support to the waf package for handling CIDR ranges in the block and allow lists.

Other information:

• Have you written new tests for your changes, if applicable?
• Have you checked the E2E test CI results, and verified that your changes do not break them?
• Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

https://github.com/Automattic/jetpack-scan-team/issues/1419

Does this pull request change what data or activity we track or use?

No

Testing instructions:

• Review and run unit tests added in this PR.
• Test the firewall and brute force protection features:
  • Test using both IPv4 and IPv6 addresses, with ranges using both hyphens and CIDR notation. See unit test for examples.
  • Test the firewall's block list.
  • Test that your IP address can be blocked by brute force protection.
  • Test the firewall's allow list for both the automatic firewall rules and brute force protection.

Easily testing CIDR notation: If your IP address is 127.0.0.1, use 127.0.0.0/24 as a range that translates to 127.0.0.*.

[github-actions]

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

• To test on WoA, go to the Plugins menu on a WordPress.com Simple site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin, and enable the add/ip/cidr branch.

  • For jetpack-mu-wpcom changes, also add define( 'JETPACK_MU_WPCOM_LOAD_VIA_BETA_PLUGIN', true ); to your wp-config.php file.

• To test on Simple, run the following command on your sandbox:

  bin/jetpack-downloader test jetpack add/ip/cidr
  

  bin/jetpack-downloader test jetpack-mu-wpcom-plugin add/ip/cidr
  

Interested in more tips and information?

• In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
• Read more about our development workflow here: PCYsg-eg0-p2
• Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

[github-actions]

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

• ✅ Include a description of your PR changes.
  
• ✅ Add a "[Status]" label (In Progress, Needs Team Review, ...).
  
• ✅ Add testing instructions.
  
• ✅ Specify whether this PR includes any changes to data or privacy.
  
• ✅ Add changelog entries to affected projects
  

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

---

The e2e test report can be found here. Please note that it can take a few minutes after the e2e tests checks are complete for the report to be available.

---

Follow this PR Review Process:

1. Ensure all required checks appearing at the bottom of this PR are passing.
2. Choose a review path based on your changes:
   • A. Team Review: add the "[Status] Needs Team Review" label
     • For most changes, including minor cross-team impacts.
     • Example: Updating a team-specific component or a small change to a shared library.
   • B. Crew Review: add the "[Status] Needs Review" label
     • For significant changes to core functionality.
     • Example: Major updates to a shared library or complex features.
   • C. Both: Start with Team, then request Crew
     • For complex changes or when you need extra confidence.
     • Example: Refactor affecting multiple systems.
3. Get at least one approval before merging.

Still unsure? Reach out in #jetpack-developers for guidance!

[ArSn]

Other than that, as you know, I am not a big fan of having static calls everywhere due to the non-mockability, but it sure works.

[ArSn]

I think this could be replaced with a call to self::validate_netmask() and then return false if it comes back as false? This would also enable us to put the ctype_digit() check into that function and not have to check it individually beforehand (if we like to)

[nateweller]

I've gone ahead and used self::validate_netmask() here to avoid the code duplication! 👍

I do kind of like enforcing the numeric netmask up front in the parsing step, so that the parsing function deals with extracting it from the string and ensuring it is cast to the correct type right away, and the validation function only needs to validate the value of the netmask (no passing in strings to validate, that we will always want to use as integers anyways, if the validation passes).

No opinions strongly held though!

[nateweller]

Thank you @ArSn for the time reviewing and testing this PR!

Other than that, as you know, I am not a big fan of having static calls everywhere due to the non-mockability, but it sure works.

I don't disagree, although I like the convenience of providing static methods from a utility-type library like this, so that consumers can essentially just opt-in to whatever methods they want to use like quickly getting or validating an IP address.

Though it would be cool to interface with the package via classes that represent the IP lists, or individual IP addresses, i.e. new IP_List( array( ... ) ) or new IP_Address( ... ) and then work with methods off of the class instances.