fix: allow RFC2544 benchmark range (198.18.0.0/15) through SSRF filter

Telegram's API and file servers resolve to IPs in the 198.18.0.0/15
range (RFC 2544 benchmarking range). The SSRF filter was blocking these
addresses because ipaddr.js classifies them as 'reserved', and the
filter also had an explicit RFC2544_BENCHMARK_PREFIX check that blocked
them unconditionally.

Fix: exempt 198.18.0.0/15 from the 'reserved' range block in
isBlockedSpecialUseIpv4Address(). Other 'reserved' ranges (TEST-NET-2,
TEST-NET-3, documentation prefixes) remain blocked. The explicit
RFC2544_BENCHMARK_PREFIX check is repurposed as the exemption guard.

Closes #24973

src/shared/net/ip.ts

@@ -28,6 +28,12 @@ const PRIVATE_OR_LOOPBACK_IPV6_RANGES = new Set<Ipv6Range>([
   "linkLocal",
   "uniqueLocal",
 ]);
+/**
+ * RFC 2544 benchmark range (198.18.0.0/15).  Originally reserved for network
+ * device benchmarking, but in practice used by real services — notably
+ * Telegram's API/file servers resolve to addresses in this block.  We
+ * therefore exempt it from the SSRF block list.
+ */
 const RFC2544_BENCHMARK_PREFIX: [ipaddr.IPv4, number] = [ipaddr.IPv4.parse("198.18.0.0"), 15];
 
 const EMBEDDED_IPV4_SENTINEL_RULES: Array<{
@@ -248,9 +254,13 @@ export function isCarrierGradeNatIpv4Address(raw: string | undefined): boolean {
 }
 
 export function isBlockedSpecialUseIpv4Address(address: ipaddr.IPv4): boolean {
-  return (
-    BLOCKED_IPV4_SPECIAL_USE_RANGES.has(address.range()) || address.match(RFC2544_BENCHMARK_PREFIX)
-  );
+  const range = address.range();
+  if (range === "reserved" && address.match(RFC2544_BENCHMARK_PREFIX)) {
+    // 198.18.0.0/15 is classified as "reserved" by ipaddr.js but is used by
+    // real public services (e.g. Telegram API).  Allow it through.
+    return false;
+  }
+  return BLOCKED_IPV4_SPECIAL_USE_RANGES.has(range);
 }
 
 function decodeIpv4FromHextets(high: number, low: number): ipaddr.IPv4 {