fix(security): resolve IPv6-mapped IPv4 bypass in SSRF protection

[VIDYANKSHINI]

Summary

Fixed a critical SSRF vulnerability bypass involving IPv6-mapped IPv4 addresses and AAAA-only hosts, and patched an underlying 32-bit signed integer overflow bug in the IP evaluation logic.

Closes #2151

---

Type of Change

• Bug fix
• Security patch
• New feature
• Documentation update
• Refactor / code cleanup

---

Changes Made

• Bitwise Signed Integer Overflow Fix: Patched ipToNumber to return a 32-bit unsigned integer (via >>> 0). Previously, calculating 192 << 24 resulted in a negative number, allowing internal IPs like 192.168.x.x to silently bypass the bounds check.
• IPv6 Mapped IPv4: Added logic to extract the IPv4 portion from IPv6-mapped addresses (e.g., ::ffff:192.168.1.1) and validate it normally.
• IPv6 Loopback & Link-local Protection: Explicitly blocked common IPv6 private networks (::1, ::, fe80::, fc00::, fd00::).
• AAAA Record Validation: Enhanced isSafeUrl to resolve both A and AAAA records. If any resolved IP points to a private/internal network, the request is blocked.
• Expanded Test Coverage: Added comprehensive Vitest test cases mocking dns.resolve to verify behavior for IPv6, mapped IPv4, and public/private resolutions.

---

How to Test

1. Run npm run test locally and verify that the ssrf-protection.test.ts suite passes, including all the new isSafeUrl test cases.
2. Confirm that public domains continue to resolve correctly while resolving an AAAA record like ::ffff:169.254.169.254 returns false.

---

Screenshots (if UI change)

N/A

---

Checklist

• Linked issue in summary
• npm run lint passes locally
• No TypeScript errors (npm run type-check)
• Self-reviewed the diff
• Added/updated tests if applicable

[vercel]

@VIDYANKSHINI is attempting to deploy a commit to the PRIYANSHU DOSHI's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

GSSoC Label Checklist 🏷️

@Priyanshu-byte-coder — please apply the appropriate labels before merging:

Difficulty (pick one):

• level:beginner — 20 pts
• level:intermediate — 35 pts
• level:advanced — 55 pts
• level:critical — 80 pts

Quality (optional):

• quality:clean — ×1.2 multiplier
• quality:exceptional — ×1.5 multiplier

Validation (required to score):

• gssoc:approved — counts for points
• gssoc:invalid / gssoc:spam / gssoc:ai-slop — does not score

Type labels (type:*) are auto-detected from files and title. Review and adjust if needed.
Points formula: (difficulty × quality_multiplier) + type_bonus

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR strengthens SSRF defenses by improving IP parsing/private-network detection (including IPv6 cases) and expanding isSafeUrl DNS resolution to cover both A and AAAA records, with new tests added around these behaviors.

Changes:

• Harden IPv4 parsing and private-IP detection (incl. IPv6-mapped IPv4 handling and invalid format blocking).
• Update isSafeUrl to resolve both A and AAAA DNS records and reject more localhost bypass patterns.
• Add Vitest coverage for isSafeUrl using mocked DNS resolution.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 7 comments.

File	Description
test/ssrf-protection.test.ts	Adds unit tests for isSafeUrl, including protocol filtering and private/public IP outcomes via DNS mocks.
src/lib/ssrf-protection.ts	Enhances IP parsing/private detection and extends isSafeUrl to check both IPv4 and IPv6 DNS records.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

🎉 Merged! Thanks for contributing to DevTrack.

If the project has been useful to you, a ⭐ star on the repo is the easiest way to support it — it helps DevTrack get discovered by more developers.

Keep an eye on open issues for your next contribution!