Description
Hello @frenchbread i am x3rz a researcher on huntr.dev as you wanted to discuss about this issue here
Yes it gives 'false' because they are resolved to private IP as the main objective of the package is telling that the IP is private or not. As you said about 127.000.000.1 so basically this resolves to localhost which is private IP and also for the other payloads especially like decimal encoded of localhost value i.e 2130706433 gives false but if you visit this from your browser you will see that this also resolves to localhost but for the hex-encoded payload for localhost package works just fine 0x7f000001 gives "true" for this one. And Yes you can resolve it to undefined and stop the further execution as similar to 'false' but as these all payloads resolve to localhost which could cause ssrf For more refrences you can check
This one which contains all the payloads that resolves to private IP addresses
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery#file
This one is just for reference that a blocklist could be implemented which could handel this issue pretty easily https://github.com/y-mehta/ssrf-req-filter/blob/master/test/blockUrls.txt
This one shows the possible bypasses and the logic behind them
https://vickieli.medium.com/bypassing-ssrf-protection-e111ae70727b