Skip to content

fix(scan): handle IPv6 literal targets safely#38

Merged
ralyodio merged 1 commit into
profullstack:masterfrom
rissrice2105-agent:fix/cli-json-output-errors
Jul 2, 2026
Merged

fix(scan): handle IPv6 literal targets safely#38
ralyodio merged 1 commit into
profullstack:masterfrom
rissrice2105-agent:fix/cli-json-output-errors

Conversation

@rissrice2105-agent

Copy link
Copy Markdown
Contributor

Summary

  • normalize bracketed IPv6 URL hostnames before the free scanner decides whether a target is internal
  • block IPv4-mapped IPv6 loopback addresses and IPv6 multicast/link-local/private ranges before any outbound fetch
  • preserve support for public IPv6 literal scan targets

Why

URL.hostname returns bracketed IPv6 literals such as [2606:4700:4700::1111]. The scanner passed that value directly to isIP, then DNS lookup, so public IPv6 literal targets were treated as non-resolvable. The private-address check also did not explicitly cover IPv4-mapped IPv6 forms after normalization.

Validation

  • corepack pnpm --filter @profullstack/threatcrush-web exec vitest run src/app/api/scan/__tests__/route.test.ts
  • corepack pnpm --filter @profullstack/threatcrush-web run test (227 passed)

@ralyodio ralyodio merged commit 0a029ed into profullstack:master Jul 2, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants