From 9203600a2cc05ebf8309cf13bb5037424055e182 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Wed, 25 Mar 2026 02:10:30 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20Add=20input?=
 =?UTF-8?q?=20validation=20to=20prevent=20resource=20exhaustion=20(DoS)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Added validation to main block inputs `start_ip` and `end_ip`.
* Bounded scan range to 256 IPs to prevent resource exhaustion / DoS.
* Generated IP ranges robustly using the `ipaddress` module to prevent malformed strings.

Co-authored-by: ManupaKDU <95234271+ManupaKDU@users.noreply.github.com>
---
 testping1.py | 30 ++++++++++++++++++++++--------
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/testping1.py b/testping1.py
index ecea5df..ff1030f 100644
--- a/testping1.py
+++ b/testping1.py
@@ -84,14 +84,28 @@ def is_reachable(ip, timeout=1):
 
     # Ensure you have permission to scan this subnet!
 
-    # ⚡ Bolt: Optimized IP generation by extracting redundant string splitting outside the loop.
-    # Improves performance from O(N * splits) to O(N) by caching the base IP prefix.
-    base_ip = start_ip.rsplit('.', 1)[0]
-    start_octet = int(start_ip.split('.')[-1])
-    end_octet = int(end_ip.split('.')[-1])
-    total_ips = end_octet - start_octet + 1
-
-    ips_to_scan = [f"{base_ip}.{i}" for i in range(start_octet, end_octet + 1)]
+    # 🛡️ Sentinel: Validate main block inputs to prevent arbitrary execution or DoS
+    # Ensure start_ip and end_ip are valid IP addresses, are in the correct order,
+    # and limit the maximum scan range to prevent resource exhaustion.
+    try:
+        start_obj = ipaddress.ip_address(start_ip)
+        end_obj = ipaddress.ip_address(end_ip)
+
+        if start_obj > end_obj:
+            raise ValueError("start_ip must be less than or equal to end_ip")
+
+        total_ips = int(end_obj) - int(start_obj) + 1
+
+        # Limit to 256 IPs (typically one /24 subnet) to prevent Denial of Service
+        if total_ips > 256:
+            raise ValueError(f"Scan range too large ({total_ips} IPs). Maximum 256 IPs allowed per scan.")
+
+    except ValueError as e:
+        logging.error(f"Invalid scan range configuration: {e}")
+        exit(1)
+
+    # Generate the list of IPs to scan robustly using ipaddress objects
+    ips_to_scan = [str(start_obj + i) for i in range(total_ips)]
 
     # ⚡ Bolt: Parallelize network scanning using ThreadPoolExecutor
     # Reduces scan time significantly by performing pings concurrently instead of sequentially.