Block IPv6 unspecified feed URLs (#15)

Autowebassat-blip · web-flow · commit 73e2464b30d9 · 2026-06-11T21:06:03.000-07:00
diff --git a/plugins/feed-discovery/src/feed-discovery.test.ts b/plugins/feed-discovery/src/feed-discovery.test.ts
@@ -50,6 +50,7 @@ describe("site probing helpers", () => {
 
   it("blocks private SSRF targets", async () => {
     await expect(assertSafeHttpUrl("http://127.0.0.1/feed")).rejects.toThrow(/Blocked internal/);
+    await expect(assertSafeHttpUrl("http://[::]/feed")).rejects.toThrow(/Blocked internal/);
     await expect(assertSafeHttpUrl("http://[::ffff:192.168.1.10]/feed")).rejects.toThrow(/Blocked internal/);
     await expect(assertSafeHttpUrl("file:///etc/passwd")).rejects.toThrow(/Unsupported URL protocol/);
   });
diff --git a/plugins/feed-discovery/src/url-safety.ts b/plugins/feed-discovery/src/url-safety.ts
@@ -78,6 +78,7 @@ function isBlockedIp(value: string) {
       return isBlockedIp(`${high >> 8}.${high & 255}.${low >> 8}.${low & 255}`);
     }
     return (
+      normalized === "::" ||
       normalized === "::1" ||
       normalized.startsWith("fc") ||
       normalized.startsWith("fd") ||

Original file line number	Diff line number	Diff line change
`@@ -78,6 +78,7 @@ function isBlockedIp(value: string) {`
`78`	`78`	return isBlockedIp(`${high >> 8}.${high & 255}.${low >> 8}.${low & 255}`);
`79`	`79`	`}`
`80`	`80`	`return (`
	`81`	`+ normalized === "::" \|\|`
`81`	`82`	`normalized === "::1" \|\|`
`82`	`83`	`normalized.startsWith("fc") \|\|`
`83`	`84`	`normalized.startsWith("fd") \|\|`