Files
fizzy/app/models
Jeremy Daer 0eefd67b68 Block IPv4-compatible IPv6 addresses in SSRF protection (#2273)
The SSRF filter checked ipv4_mapped? but not ipv4_compat?, allowing
addresses like ::169.254.169.254 to bypass the link-local check and
reach cloud metadata endpoints.

Changes:
- Add ipv4_compat? check to block deprecated IPv4-compatible format
- Rename private_address? to blocked_address? (more accurate - method
  blocks more than just RFC 1918 private ranges)
- Add IPv6 test coverage for both mapped and compat formats

Both ipv4_mapped and ipv4_compat formats are blocked entirely as
defense-in-depth: DNS never returns these formats, so they only
appear in attack scenarios.

HackerOne: #3481701
2025-12-29 21:45:06 -08:00
..
2025-12-11 10:25:34 +01:00
2025-12-09 20:24:09 -05:00
2025-12-03 14:27:52 +00:00
2025-12-26 19:33:26 +01:00
2025-12-16 16:44:20 +01:00
2025-12-17 08:56:08 +01:00
2025-12-16 13:36:40 +01:00
2025-11-14 11:44:04 +01:00
2025-11-27 12:34:31 -05:00
2025-11-27 11:08:45 -05:00
2025-07-21 20:11:03 -05:00
2025-11-21 14:53:17 +00:00
2025-11-17 09:11:36 -05:00
2025-11-17 09:12:40 -05:00
2025-11-17 09:12:41 -05:00