Files
fizzy/test/models
Jeremy Daer 0eefd67b68 Block IPv4-compatible IPv6 addresses in SSRF protection (#2273)
The SSRF filter checked ipv4_mapped? but not ipv4_compat?, allowing
addresses like ::169.254.169.254 to bypass the link-local check and
reach cloud metadata endpoints.

Changes:
- Add ipv4_compat? check to block deprecated IPv4-compatible format
- Rename private_address? to blocked_address? (more accurate - method
  blocks more than just RFC 1918 private ranges)
- Add IPv6 test coverage for both mapped and compat formats

Both ipv4_mapped and ipv4_compat formats are blocked entirely as
defense-in-depth: DNS never returns these formats, so they only
appear in attack scenarios.

HackerOne: #3481701
2025-12-29 21:45:06 -08:00
..
2025-12-11 11:21:09 +00:00
2025-11-19 17:51:38 -05:00
2025-11-25 16:10:34 -06:00
2025-12-09 20:24:09 -05:00
2025-12-13 13:05:30 -05:00
2025-11-17 09:12:31 -05:00
2025-12-16 16:44:20 +01:00
2025-11-14 11:24:55 +01:00
2025-06-05 16:07:19 +02:00