fix(security): guard protocol download against SSRF

The protocol download URL is user-supplied and fetched in the main process.
Resolve the host and refuse private/loopback/link-local targets, and reject
redirects so a public host cannot bounce to an internal address (e.g. cloud
metadata). Addresses the pushed-commit security review finding.

Author: jthrilly

.eslintrc.json

@@ -122,7 +122,8 @@
                 "preload",
                 "reduxstore",
                 "renderer",
-                "utils"
+                "utils",
+                "loopback"
              ],
              "skipIfMatch": [
                 "http(s)?://[^s]*",

src/main/protocolDownload.js

@@ -1,11 +1,43 @@
 import { app, net } from 'electron';
 import fs from 'node:fs';
 import path from 'node:path';
+import dns from 'node:dns';
+import { isIP } from 'node:net';
 import { randomUUID } from 'node:crypto';
 
+const isPrivateIPv4 = (ip) => {
+  const [a, b] = ip.split('.').map(Number);
+  if (a === 0 || a === 127 || a === 10) { return true; } // unspecified, loopback, private
+  if (a === 172 && b >= 16 && b <= 31) { return true; } // private
+  if (a === 192 && b === 168) { return true; } // private
+  if (a === 169 && b === 254) { return true; } // link-local
+  return false;
+};
+
+const isPrivateIPv6 = (ip) => {
+  const addr = ip.toLowerCase();
+  if (addr === '::1' || addr === '::') { return true; } // loopback, unspecified
+  const mapped = addr.match(/::ffff:(\d+\.\d+\.\d+\.\d+)$/); // IPv4-mapped
+  if (mapped) { return isPrivateIPv4(mapped[1]); }
+  if (/^f[cd]/.test(addr)) { return true; } // unique-local fc00::/7
+  if (/^fe[89ab]/.test(addr)) { return true; } // link-local fe80::/10
+  return false;
+};
+
+const isBlockedAddress = (address) => {
+  const kind = isIP(address);
+  if (kind === 4) { return isPrivateIPv4(address); }
+  if (kind === 6) { return isPrivateIPv6(address); }
+  return true; // not a resolvable IP literal: refuse
+};
+
 // Downloads a remote protocol to a temp file. Runs in the main process, where
 // fetch is not subject to the renderer's CORS policy. Returns the temp path,
 // which is inside app temp so the extract step's path guard permits it.
+//
+// SSRF guard: the URL is user-supplied, so we resolve the host and refuse
+// private/loopback/link-local targets, and reject redirects (which could
+// otherwise bounce a public host to an internal address).
 const downloadProtocol = async (url) => {
   let parsed;
   try {
@@ -17,7 +49,12 @@ const downloadProtocol = async (url) => {
     throw new Error(`Disallowed URL scheme: ${parsed.protocol}`);
   }
 
-  const response = await net.fetch(parsed.href);
+  const addresses = await dns.promises.lookup(parsed.hostname, { all: true });
+  if (addresses.length === 0 || addresses.some(({ address }) => isBlockedAddress(address))) {
+    throw new Error('Refusing to download from a private, loopback, or link-local address.');
+  }
+
+  const response = await net.fetch(parsed.href, { redirect: 'error' });
   if (!response.ok) {
     throw new Error(`Unexpected response status ${response.status}`);
   }