CalvinBackup/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-05-05 05:05:08 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): block hex-encoded IPv4-mapped IPv6 metadata bypass

Browse Source 
URL constructor normalizes ::ffff:169.254.169.254 to ::ffff:a9fe:a9fe
(hex form), which was not in the blocklist. Similarly, ::169.254.169.254
normalizes to ::a9fe:a9fe.

Add both hex-encoded forms to BLOCKED_METADATA_HOSTS so they're caught
by the direct hostname check in validateNavigationUrl.

Closes #739

Co-Authored-By: Osman Mehmood <mehmoodosman@users.noreply.github.com>
This commit is contained in:
Garry Tan
2026-04-13 09:42:16 -07:00
parent f93ffe56cc
commit 84593bb97a
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
browse/src/url-validation.ts
+2
View File
@@ -7,6 +7,8 @@ export const BLOCKED_METADATA_HOSTS = new Set([
'169.254.169.254', // AWS/GCP/Azure instance metadata
'fe80::1', // IPv6 link-local — common metadata endpoint alias
'::ffff:169.254.169.254', // IPv4-mapped IPv6 form of the metadata IP
'::ffff:a9fe:a9fe', // Hex-encoded IPv4-mapped form (URL constructor normalizes to this)
'::a9fe:a9fe', // Deprecated IPv4-compatible hex form
'metadata.google.internal', // GCP metadata
'metadata.azure.internal', // Azure IMDS
]);