Security Fix: Fix IPv4-mapped IPv6 metadata IP bypass vulnerability

browse/src/url-validation.ts

@@ -26,9 +26,72 @@ function normalizeHostname(hostname: string): string {
   return h;
 }
 
+/**
+ * Extract IPv4 address from IPv4-mapped IPv6 address (::ffff:x.x.x.x or ::x.x.x.x).
+ * Returns null if not an IPv4-mapped address.
+ */
+function extractIpv4FromMappedIpv6(hostname: string): string | null {
+  // Match IPv4-mapped IPv6 patterns with dotted decimal notation:
+  // - ::ffff:192.0.2.1 (standard IPv4-mapped)
+  // - ::192.0.2.1 (deprecated IPv4-compatible)
+  // - 0:0:0:0:0:ffff:192.0.2.1 (full form)
+  // - 0:0:0:0:0:0:192.0.2.1 (full deprecated form)
+
+  // Check for IPv4-mapped pattern with dotted decimal
+  const mappedPattern = /^(::ffff:|0:0:0:0:0:ffff:)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/i;
+  const match = hostname.match(mappedPattern);
+  if (match) {
+    return match[2];
+  }
+
+  // Check for deprecated IPv4-compatible pattern (::192.0.2.1 or 0:0:0:0:0:0:192.0.2.1)
+  const compatPattern = /^(::|0:0:0:0:0:0:)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/i;
+  const compatMatch = hostname.match(compatPattern);
+  if (compatMatch) {
+    return compatMatch[2];
+  }
+
+  // Check for hex-encoded IPv4-mapped addresses:
+  // - ::ffff:a9fe:a9fe (where a9fe = 169.254)
+  // - 0:0:0:0:0:ffff:a9fe:a9fe (full form)
+  const hexMappedPattern = /^(::ffff:|0:0:0:0:0:ffff:)([0-9a-f]{1,4}):([0-9a-f]{1,4})$/i;
+  const hexMatch = hostname.match(hexMappedPattern);
+  if (hexMatch) {
+    const part1 = parseInt(hexMatch[2], 16);
+    const part2 = parseInt(hexMatch[3], 16);
+    if (!isNaN(part1) && !isNaN(part2) && part1 <= 65535 && part2 <= 65535) {
+      const octet1 = (part1 >> 8) & 0xff;
+      const octet2 = part1 & 0xff;
+      const octet3 = (part2 >> 8) & 0xff;
+      const octet4 = part2 & 0xff;
+      return `${octet1}.${octet2}.${octet3}.${octet4}`;
+    }
+  }
+
+  // Check for deprecated hex IPv4-compatible:
+  // - ::a9fe:a9fe
+  // - 0:0:0:0:0:0:a9fe:a9fe
+  const hexCompatPattern = /^(::|0:0:0:0:0:0:)([0-9a-f]{1,4}):([0-9a-f]{1,4})$/i;
+  const hexCompatMatch = hostname.match(hexCompatPattern);
+  if (hexCompatMatch) {
+    const part1 = parseInt(hexCompatMatch[2], 16);
+    const part2 = parseInt(hexCompatMatch[3], 16);
+    if (!isNaN(part1) && !isNaN(part2) && part1 <= 65535 && part2 <= 65535) {
+      const octet1 = (part1 >> 8) & 0xff;
+      const octet2 = part1 & 0xff;
+      const octet3 = (part2 >> 8) & 0xff;
+      const octet4 = part2 & 0xff;
+      return `${octet1}.${octet2}.${octet3}.${octet4}`;
+    }
+  }
+
+  return null;
+}
+
 /**
  * Check if a hostname resolves to the link-local metadata IP 169.254.169.254.
- * Catches hex (0xA9FEA9FE), decimal (2852039166), and octal (0251.0376.0251.0376) forms.
+ * Catches hex (0xA9FEA9FE), decimal (2852039166), octal (0251.0376.0251.0376),
+ * and IPv4-mapped IPv6 (::ffff:169.254.169.254) forms.
  */
 function isMetadataIp(hostname: string): boolean {
   // Try to parse as a numeric IP via URL constructor — it normalizes all forms
@@ -41,6 +104,22 @@ function isMetadataIp(hostname: string): boolean {
   } catch {
     // Not a valid hostname — can't be a metadata IP
   }
+
+  // Check for IPv4-mapped IPv6 addresses that bypass URL normalization
+  // Examples: ::ffff:169.254.169.254, ::169.254.169.254, 0:0:0:0:0:ffff:169.254.169.254
+  const extractedIpv4 = extractIpv4FromMappedIpv6(hostname);
+  if (extractedIpv4) {
+    // Check if the extracted IPv4 is a metadata IP
+    if (BLOCKED_METADATA_HOSTS.has(extractedIpv4)) return true;
+    // Also check normalized forms of the extracted IP
+    try {
+      const probe = new URL(`http://${extractedIpv4}`);
+      if (BLOCKED_METADATA_HOSTS.has(probe.hostname)) return true;
+    } catch {
+      // Ignore errors
+    }
+  }
+
   return false;
 }
 
@@ -93,3 +172,5 @@ export async function validateNavigationUrl(url: string): Promise<void> {
     );
   }
 }
+
+

browse/test/url-validation.test.ts

@@ -66,7 +66,41 @@ describe('validateNavigationUrl', () => {
     await expect(validateNavigationUrl('http://[fd00::]/')).rejects.toThrow(/cloud metadata/i);
   });
 
+  // SECURITY FIX: IPv4-mapped IPv6 bypass protection
+  // These test cases verify that IPv4-mapped IPv6 addresses cannot bypass metadata IP blocking
+  // See: https://en.wikipedia.org/wiki/IPv6_address#IPv4-mapped_IPv6_addresses
+
+  it('blocks metadata IP in IPv4-mapped IPv6 form (::ffff:169.254.169.254)', async () => {
+    await expect(validateNavigationUrl('http://[::ffff:169.254.169.254]/')).rejects.toThrow(/cloud metadata/i);
+  });
+
+  it('blocks metadata IP in IPv4-mapped IPv6 hex form (::ffff:a9fe:a9fe)', async () => {
+    await expect(validateNavigationUrl('http://[::ffff:a9fe:a9fe]/')).rejects.toThrow(/cloud metadata/i);
+  });
+
+  it('blocks metadata IP in deprecated IPv4-compatible form (::169.254.169.254)', async () => {
+    await expect(validateNavigationUrl('http://[::169.254.169.254]/')).rejects.toThrow(/cloud metadata/i);
+  });
+
+  it('blocks metadata IP in full IPv4-mapped IPv6 form (0:0:0:0:0:ffff:169.254.169.254)', async () => {
+    await expect(validateNavigationUrl('http://[0:0:0:0:0:ffff:169.254.169.254]/')).rejects.toThrow(/cloud metadata/i);
+  });
+
+  it('blocks metadata IP in full deprecated IPv4-compatible form (0:0:0:0:0:0:169.254.169.254)', async () => {
+    await expect(validateNavigationUrl('http://[0:0:0:0:0:0:169.254.169.254]/')).rejects.toThrow(/cloud metadata/i);
+  });
+
+  it('blocks metadata IP in full IPv4-mapped hex form (0:0:0:0:0:ffff:a9fe:a9fe)', async () => {
+    await expect(validateNavigationUrl('http://[0:0:0:0:0:ffff:a9fe:a9fe]/')).rejects.toThrow(/cloud metadata/i);
+  });
+
+  it('blocks metadata IP in full deprecated IPv4-compatible hex form (0:0:0:0:0:0:a9fe:a9fe)', async () => {
+    await expect(validateNavigationUrl('http://[0:0:0:0:0:0:a9fe:a9fe]/')).rejects.toThrow(/cloud metadata/i);
+  });
+
   it('throws on malformed URLs', async () => {
     await expect(validateNavigationUrl('not-a-url')).rejects.toThrow(/Invalid URL/i);
   });
 });
+
+