Improve http component to ban IP addresses by subnet

[HLFCode]

Breaking change

Not a breaking change. All extra functionality is optional

Proposed change

Security enhancement.
To add the option to block incoming requests by IP subnet not just IP address.
Any valid subnet range can be used like 1.2.3.0/24 (small range) or 1.2.0.0/16 (large range)
The existing http component only allows for individual IP addresses.

Change the order of security filtering to check for banned IP addresses (individual or range) before checking for anomalous strings in the requested path.
This is on the logic that if an IP has been flagged as suspicious there's no point checking for details in the requested path.

Added the source path to security notifications and log entries (so the user can see the origin IP address and potentially block it or its subnet)

Type of change

• Dependency upgrade
• Bugfix (non-breaking change which fixes an issue)
• New integration (thank you!)
• New feature (which adds functionality to an existing integration)
• Deprecation (breaking change to happen in the future)
• Breaking change (fix/feature causing existing functionality to break)
• Code quality improvements to existing code or addition of tests

Additional information

Every incoming request is checked against a list of banned IP subnets and if the IP address is in any of the banned subnets a forbidden response is generated.
If the IP is not in any of the banned subnets, normal checking for security issues carries on as before.

__init.py__ has been changed to load the new configuration options which are a list of banned subnets and whether or not the user wants to log and/or be notified of breaches.

The banned subnets are defined in configuration.yaml in the format:

http:
  ...
  ip_ban_enabled: true # existing
  login_attempts_threshold: 5 # existing
  banned_networks: # new/optional block
    - 111.7.0.0/16 # any IPv4Network
    - 45.0.0.0/8
    - 179.43.0.0/16
    - 123.160.0.0/14
    - 137.220.0.0/16
    - 195.178.0.0/16
    - 88.214.0.0/16
    - 216.10.0.0/16
  log_banned_networks: True # new/optional, defaults True
  notify_banned_networks: True #new/optional, defaults True

• This PR fixes or closes issue: fixes #
• This PR is related to issue: Ban by subnet in http component (with working code) and [Security] Improvement of IPBan [HTTP Integration]
• Link to documentation pull request: Documentation update for HA PR #140661 (http banned networks) #38012
• Link to developer documentation pull request:
• Link to frontend pull request:

Checklist

• The code change is tested and works locally.
• Local tests pass. Your PR cannot be merged unless tests pass I need help with this
• There is no commented out code in this PR.
• I have followed the development checklist
• I have followed the perfect PR recommendations I don't understand git well enough
• The code has been formatted using Ruff (ruff format homeassistant tests)
• Tests have been added to verify that the new code works. I need help with this

If user exposed functionality or configuration variables are added/changed:

• Documentation added/updated for www.home-assistant.io

If the code communicates with devices, web services, or third-party tools: Does not communicate

• The manifest file has all fields filled out correctly.
  Updated and included derived files by running: python3 -m script.hassfest.
• New or updated dependencies have been added to requirements_all.txt.
  Updated by running python3 -m script.gen_requirements_all.
• For the updated dependencies - a link to the changelog, or at minimum a diff between library versions is added to the PR description.

To help with the load of incoming pull requests:

• I have reviewed two other open pull requests in this repository.

[home-assistant]

Hi @HLFCode

It seems you haven't yet signed a CLA. Please do so here.

Once you do that we will be able to review and accept this pull request.

Thanks!

[home-assistant]

Please take a look at the requested changes, and use the Ready for review button when you are done, thanks 👍

Learn more about our pull request process.

[home-assistant]

Hey there @home-assistant/core, mind taking a look at this pull request as it has been labeled with an integration (http) you are listed as a code owner for? Thanks!

Code owner commands

Code owners of http can trigger bot actions by commenting:

• @home-assistant close Closes the pull request.
• @home-assistant rename Awesome new title Renames the pull request.
• @home-assistant reopen Reopen the pull request.
• @home-assistant unassign http Removes the current integration label and assignees on the pull request, add the integration domain after the command.
• @home-assistant add-label needs-more-information Add a label (needs-more-information, problem in dependency, problem in custom component) to the pull request.
• @home-assistant remove-label needs-more-information Remove a label (needs-more-information, problem in dependency, problem in custom component) on the pull request.

[talik31]

Amazing, it's really matching the security improvement needed on the IPBan feature. Since beginning of this year every port openned on the Internet is massively scanned & tried by bots.
Thank you so much for your hard work and I hope it'll be part of one of the next relases of HA.