[Security] DNS rebinding protection only checks IPv4 — IPv6 AAAA records bypass

## Summary

`resolvesToBlockedIp()` in `browse/src/url-validation.ts:51` only calls `dns.resolve4()` (A records). It never checks `dns.resolve6()` (AAAA records). The `BLOCKED_METADATA_HOSTS` set includes `fd00::` but that is only matched against the raw hostname string, not resolved IPv6 addresses. A DNS rebinding attack via an AAAA record pointing to a blocked IPv6 metadata address bypasses protection.

## Reproduction

```
# Attacker sets up DNS:
# evil.com  AAAA  fd00::
$B goto http://evil.com   # passes validation, reaches metadata endpoint
```

## Fix

PR #664 adds `resolve6` check in parallel with `resolve4`, using `Promise.all` with individual `.catch(() => [])` for resilience.

Found via sqry AST-based semantic code graph analysis.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security] DNS rebinding protection only checks IPv4 — IPv6 AAAA records bypass #668

Summary

Reproduction

Fix

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

[Security] DNS rebinding protection only checks IPv4 — IPv6 AAAA records bypass #668

Description

Summary

Reproduction

Fix

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions