Fix/msf host info cidr filtering

[kx7m2qd]

What this fixes

Fixes #21405

The msf_host_info MCP tool was not honoring CIDR range filters. When a CIDR
like 192.168.159.0/24 was passed as the addresses parameter, it was forwarded
directly to db_hosts which does exact string matching — so no hosts were ever
returned.

The fix detects CIDR notation (presence of /) and performs the filtering in Ruby
using IPAddr after fetching all hosts, instead of passing the CIDR to the API.
Exact IP addresses continue to be passed to the API as before.

Verification

• Start the MCP server: ./msfconsole --mcp-transport http
• Ensure your database has hosts in multiple subnets (e.g. some in 192.168.159.0/24 and some outside it)
• Query with no filter — verify all hosts are returned
• Query with a single IP e.g. 192.168.159.10 — verify only that host is returned
• Query with CIDR 192.168.159.0/24 — verify only hosts in that subnet are returned
• Query with CIDR + only_up=true — verify results are filtered correctly
• Verify hosts outside the CIDR range are not included in results
• Verify exact IP filtering still works as before

[smcintyre-r7]

These changes make sense to me. So the RPC endpoint doesn't actually support CIDR notation, so you're fixing it here with a bit of post processing. @cdelafuente-r7 Does this seem reasonable, or do you think the fix should be applied to the RPC endpoint? Keeping the logic here would contain the blast radius of potential bugs, e.g. if current RPC clients are aware of and reliant on this behavior.

@kx7m2qd One issue I am seeing is that this branch has changes from your previous PR. All commits before 0aaed23 should be dropped since I already merged those in for you from your previous PR. Please rebase this to drop those commits.

[cdelafuente-r7]

I think it makes more sense to fix the RPC endpoint instead. This would be beneficial for anything using the API. Since the default behavior (accepting just one IP) will still be accepted, I don't think this would impact many RPC clients. These clients should already be sending a single IP.

[smcintyre-r7]

@kx7m2qd Are you up for adjusting the approach? We'd want to have these changes reverted, and the filtering added to the RPC end point instead. If you're not just let us know, and we'll close this out.

[kx7m2qd]

Sure, happy to adjust the approach! I'll revert the MCP-layer changes and move the CIDR filtering to the RPC endpoint. Could you point me to the relevant file? I'm guessing it's somewhere in lib/msf/core/mcp/metasploit/ is it the messagepack_client.rb or jsonrpc_client.rb db_hosts method where the fix should live?

[smcintyre-r7]

It might be this https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/rpc/v10/rpc_db.rb#L403 but I'm not entirely sure.

[kx7m2qd]

Thanks! I can see the fix in rpc_hosts at line 405 where conditions[:address] = opts[:addresses] does exact string matching. Since Metasploit supports both PostgreSQL and SQLite, a pure SQL CIDR query won't be portable. The safest approach would be to detect CIDR notation, skip adding it to the where conditions, and filter using IPAddr in Ruby after fetching. Does that work, or is there a preferred approach for cross-database CIDR support?

[cdelafuente-r7]

@kx7m2qd , thanks for updating the RPC endpoint. I left a few comments and suggestions. This would be great to have specs for this but we don't have any for this file, so it looks like it is out-of-scope. I'll add an issue for this.

[cdelafuente-r7]

This will remove the network block information and give you the network address only. I don't think this will work when you build the SQL query later:

[20] pry(main)> cidr_strs = ["4.5.6.7/24", "6.6.6.7/32"]
=> ["4.5.6.7/24", "6.6.6.7/32"]
[21] pry(main)> cidr_filters = cidr_strs.map { |c| IPAddr.new(c).to_string }
=> ["4.5.6.0", "6.6.6.7"]

A valid CIDR would be:

["4.5.6.0/24", "6.6.6.7/32"]

I believe you want IPAddr.new(c).cidr instead?

[cdelafuente-r7]

I'm concerned this will only be compatible with PostgreSQL. We have a plan to migrate to SQLite at some point. Do you think it would be possible to use a more portable solution?

[smcintyre-r7]

I've raised this point about us using the IP address types in PostgreSQL multiple times when we've had those discussions. I don't know if there is a more portable solution because there's not a IP / Network data type in SQLite AFAIK. We could do something fancy with bitmasks and integers maybe but that would probably also be dialect specific and this PR here is not the right spot to figure out how we should handle the broader problem of migrating from PostgreSQL to SQLite.

[cdelafuente-r7]

These spaces are not necessary. It is something rubocop usually flags as an issue (we don't have AllowForAlignment set globally) and should be kept as it was originally.

Rubocop error for references:

Layout/ExtraSpacingWithBinDataIgnored: Unnecessary spacing detected.

[cdelafuente-r7]

It looks like this option is wrongly documented. Apparently, addresses is used instead. Also, the documentation should mention that CIDR are accepted.

[smcintyre-r7]

I fixed this but the location isn't here. L385 is the return value, L374 is the argument (where I made the change).

[cdelafuente-r7]

Thanks for the update! There is just one missing variable name change and it will be good to go.

[cdelafuente-r7]

I believe cidr_filters should be replaced by cidr_addrs:

Suggested change

	cidr_filters = []
	cidr_addrs = []