• Enhanced IPv6 address validation to detect IPv4-mapped and IPv4-compatible addresses
• Added manual blocks for specific IPv6 ranges (64:ff9b:1::/48, 5f00::/8, 3fff::/20, fec0::/10)
• Fixed hostname parsing in URL validation to strip IPv6 bracket notation
• Improved internal IP detection logic for security vulnerability mitigation

IPv6 validation and URL hostname parsing improvements

• Enhanced is_ip_internal() function to handle IPv4-mapped (ipv4Mapped) and IPv4-compatible
 (rfc6145) IPv6 addresses by recursively validating their IPv4 representation
• Added manual CIDR range blocks for specific IPv6 ranges (64:ff9b:1::/48, 5f00::/8, 3fff::/20,
 fec0::/10) to catch additional internal/reserved addresses
• Fixed hostname extraction in is_url_safe() and is_url_safe_debug() functions to strip IPv6
 bracket notation using regex replacement
• Improved security by preventing bypass of internal IP checks through IPv6 address variations

dist/helpers.js

Description

The IPv6/URL hostname hardening was applied only in dist/helpers.js, while src/helpers.ts still
contains the old logic; running tsc (the project build) will overwrite dist and drop the fix. Code
paths importing from src/ (e.g., benches) will also continue using the old behavior, undermining
the intended GHSA fix.

Code

dist/helpers.js[R224-249]

+        if (range !== "unicast") {
+            // Check for IPv4-mapped or IPv4-compatible addresses
+            if (range === "ipv4Mapped" || range === "rfc6145") {
+                try {
+                    // @ts-ignore
+                    const ipv4 = parsed.toIPv4Address();
+                    return is_ip_internal(ipv4.toString());
+                }
+                catch {
+                    return true;
+                }
+            }
+            return true;
+        }
+        // Additional manual blocks for IPv6
+        const extraBadRanges = [
+            ipaddr.parseCIDR("64:ff9b:1::/48"),
+            ipaddr.parseCIDR("5f00::/8"),
+            ipaddr.parseCIDR("3fff::/20"),
+            ipaddr.parseCIDR("fec0::/10"),
+        ];
+        for (const [range, bits] of extraBadRanges) {
+            // @ts-ignore
+            if (parsed.match(range, bits))
+                return true;
+        }

Evidence

tsconfig.json compiles only src/ into dist/, and package.json’s build script runs tsc, so
dist is derived from src and will be regenerated from the unchanged source. The source still uses
the old IPv6 internal check and does not strip brackets from parsed.hostname, while benches import
from ../src/utils and therefore exercise the unfixed src implementation.

tsconfig.json[2-12]
package.json[21-36]
src/helpers.ts[224-243]
src/helpers.ts[482-510]
dist/helpers.js[215-252]
dist/helpers.js[425-450]
benches/ssrf-validation.bench.ts[2-16]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
Security-related IPv6/hostname validation changes were made directly in the generated file `dist/helpers.js` only. The authoritative source `src/helpers.ts` still has the previous behavior, so `npm run build` (`tsc`) will overwrite the fix and internal repo imports from `src/` will remain vulnerable.

### Issue Context
- `tsconfig.json` outputs to `dist` and includes only `src`.
- `package.json` build script is `tsc`.
- Benchmarks import from `../src/utils`.

### Fix Focus Areas
- src/helpers.ts[224-243]
- src/helpers.ts[482-520]
- dist/helpers.js[215-252]
- dist/helpers.js[425-460]

### What to do
1. Implement the same IPv6 validation logic (including IPv4-mapped handling + extra blocked ranges) in `src/helpers.ts:is_ip_internal`.
2. Apply the same hostname normalization (`parsed.hostname.replace(...)`) in `src/helpers.ts:is_url_safe` (and debug variant if intended).
3. Re-run `npm run build` to regenerate `dist/` from `src/` and commit the generated output so `dist/` matches `src/`.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Description

is_ip_internal() parses constant IPv6 CIDRs on every invocation by recreating extraBadRanges,
causing avoidable repeated work. While likely not a bottleneck versus DNS/network I/O, this is a
simple optimization and reduces per-call overhead in loops that classify many IPs.

Code

dist/helpers.js[R238-244]

+        // Additional manual blocks for IPv6
+        const extraBadRanges = [
+            ipaddr.parseCIDR("64:ff9b:1::/48"),
+            ipaddr.parseCIDR("5f00::/8"),
+            ipaddr.parseCIDR("3fff::/20"),
+            ipaddr.parseCIDR("fec0::/10"),
+        ];

Evidence

extraBadRanges is created inside is_ip_internal, and is_ip_internal is called repeatedly when
classifying resolved IPs (e.g., in classify_ips_allow_global_ipv6 and other flows). Moving CIDR
parsing to module scope avoids repeating the same parsing work for each call.

dist/helpers.js[238-249]
dist/helpers.js[264-276]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`is_ip_internal()` recreates and parses the same static IPv6 CIDRs on every call.

### Issue Context
This function can be called multiple times per URL validation (e.g., for each resolved IP). Even if the savings are small, it’s easy to eliminate repeated parsing.

### Fix Focus Areas
- dist/helpers.js[238-249]
- (after porting logic) src/helpers.ts[is_ip_internal implementation]

### What to do
1. Define a module-level constant like `const EXTRA_BAD_RANGES = [ipaddr.parseCIDR(...), ...]`.
2. Reuse it inside `is_ip_internal()` instead of parsing each time.
3. If `dist/` is generated, make the change in `src/` and regenerate `dist/`.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Results:
0 new issues

View in Codacy