From cf07461436915c02228f1c22a4e968772f7a84a6 Mon Sep 17 00:00:00 2001
From: Olivier <olivier@raspot.in>
Date: Mon, 18 May 2026 08:38:58 +0200
Subject: [PATCH] fix: guard _ping() against proxy-ARP false positives

Verify that the ICMP reply source IP matches the target before
reporting a host as alive. Prevents scan from returning the entire
CIDR range when a gateway answers ARP requests on behalf of all IPs.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 backend/routers/discovery.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/backend/routers/discovery.py b/backend/routers/discovery.py
index d5f7e3c..7356603 100644
--- a/backend/routers/discovery.py
+++ b/backend/routers/discovery.py
@@ -54,7 +54,12 @@ def _ping(ip: str) -> bool:
             capture_output=True,
             timeout=3,
         )
-        return r.returncode == 0
+        if r.returncode != 0:
+            return False
+        # Guard against proxy-ARP / gateway false positives: verify the ICMP
+        # reply actually came from the target IP and not an intermediate node.
+        stdout = r.stdout.decode(errors="ignore")
+        return f"from {ip}:" in stdout or f"from {ip} " in stdout
     except Exception:
         return False