fix: block IPv6 multicast SSRF bypass

src/infra/net/ssrf.test.ts

@@ -38,6 +38,9 @@ const privateIpCases = [
   "fe80::1%lo0",
   "fd00::1",
   "fec0::1",
+  "ff02::1",
+  "ff05::1:3",
+  "[ff02::1]",
   "2001:db8:1234::5efe:127.0.0.1",
   "2001:db8:1234:1:200:5efe:7f00:1",
 ];

src/shared/net/ip.test.ts

@@ -45,8 +45,10 @@ describe("shared ip helpers", () => {
     }
   });
 
-  it("treats deprecated site-local IPv6 as private/internal", () => {
+  it("treats blocked IPv6 classes as private/internal", () => {
     expect(isPrivateOrLoopbackIpAddress("fec0::1")).toBe(true);
+    expect(isPrivateOrLoopbackIpAddress("ff02::1")).toBe(true);
+    expect(isPrivateOrLoopbackIpAddress("[ff05::1:3]")).toBe(true);
     expect(isPrivateOrLoopbackIpAddress("2001:4860:4860::8888")).toBe(false);
   });
 });

src/shared/net/ip.ts

@@ -27,6 +27,7 @@ const PRIVATE_OR_LOOPBACK_IPV6_RANGES = new Set<Ipv6Range>([
   "loopback",
   "linkLocal",
   "uniqueLocal",
+  "multicast",
 ]);
 const RFC2544_BENCHMARK_PREFIX: [ipaddr.IPv4, number] = [ipaddr.IPv4.parse("198.18.0.0"), 15];
 export type Ipv4SpecialUseBlockOptions = {