From b3ff1b067cbcd2ee88f5d46d2193eee8b569cf5a Mon Sep 17 00:00:00 2001
From: Mahmoud Hamdi <hmdy7486@gmail.com>
Date: Sun, 29 Mar 2026 04:12:17 +0200
Subject: [PATCH] fix: allow CIDR prefix length /0 to trust all addresses
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The range validation in parseipNotation rejected /0 prefix length
because the check used `range <= 0`, which incorrectly treated 0 as
invalid. However, /0 is valid CIDR notation meaning "match all
addresses" — 0.0.0.0/0 matches all IPv4 and ::/0 matches all IPv6.

Changed the validation to explicitly check for null (invalid format)
separately from the numeric range check, allowing 0 as a valid prefix
length.

Fixes jshttp/proxy-addr#28
---
 index.js     |  2 +-
 test/test.js | 15 +++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/index.js b/index.js
index a909b05..9c0f306 100644
--- a/index.js
+++ b/index.js
@@ -188,7 +188,7 @@ function parseipNotation (note) {
     range = null
   }
 
-  if (range <= 0 || range > max) {
+  if (range === null || range < 0 || range > max) {
     throw new TypeError('invalid range on address: ' + note)
   }
 
diff --git a/test/test.js b/test/test.js
index 4f8949c..2cfd7bb 100644
--- a/test/test.js
+++ b/test/test.js
@@ -235,6 +235,13 @@ describe('proxyaddr(req, trust)', function () {
       assert.strictEqual(proxyaddr(req, '10.0.0.2/26'), '10.0.0.200')
     })
 
+    it('should accept /0 CIDR to trust all addresses', function () {
+      var req = createReq('10.0.0.1', {
+        'x-forwarded-for': '192.168.0.1, 172.16.0.1'
+      })
+      assert.strictEqual(proxyaddr(req, '0.0.0.0/0'), '192.168.0.1')
+    })
+
     it('should accept netmask notation', function () {
       var req = createReq('10.0.0.1', {
         'x-forwarded-for': '192.168.0.1, 10.0.0.200'
@@ -490,6 +497,14 @@ describe('proxyaddr.compile(trust)', function () {
         assert.throws(proxyaddr.compile.bind(null, '::ffff:a00:2/-46'), /invalid range on address/)
       })
 
+      it('should accept IPv4 CIDR /0', function () {
+        assert.strictEqual(typeof proxyaddr.compile('0.0.0.0/0'), 'function')
+      })
+
+      it('should accept IPv6 CIDR /0', function () {
+        assert.strictEqual(typeof proxyaddr.compile('::/0'), 'function')
+      })
+
       it('should not alter input array', function () {
         var arr = ['loopback', '10.0.0.1']
         assert.strictEqual(typeof proxyaddr.compile(arr), 'function')