fix(security): block NAT64/6to4/Teredo IPv6 addresses embedding private IPv4 in SSRF guard

[ital0]

Note

Medium Risk
Changes security-critical outbound fetch validation used by link preview; behavior is tightened with tests, but misclassification of NAT64/public embeds could break legitimate DNS64 fetches.

Overview
Extends isPrivateAddress in url-validation.ts with embeddedIpv4, so IPv6 transition forms (NAT64 64:ff9b::/96, 6to4, RFC6145, Teredo) are treated as private when the embedded IPv4 is internal—while still allowing NAT64/DNS64 addresses that wrap public IPv4.

Adds broad SSRF regression tests: alternate IPv4 encodings, bracketed IPv6 literals, userinfo decoys, DNS rebinding and NAT64 AAAA cases for validateAndPin / createSafeFetch, plus POST /v1/preview e2e checks that the advisory path-style route is absent and loopback/rebind targets are blocked without caching leaked metadata.

^{Reviewed by Cursor Bugbot for commit 9c6e480. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Semgrep Security Scan

No security issues found.

[github-actions]

Preview environment deployed 🚀

Service	URL
Marketing / blog / docs	https://thunderbolt-pr-995.preview.thunderbolt.io
App	https://app-pr-995.preview.thunderbolt.io
API	https://api-pr-995.preview.thunderbolt.io
Keycloak	https://auth-pr-995.preview.thunderbolt.io
PowerSync	https://powersync-pr-995.preview.thunderbolt.io

Stack: preview-pr-995 · Commit: 9c6e480e3176d32d027e07f97fd88195944aaa49

Auto-destroys on PR close/merge. Login via the bundled Keycloak realm — demo@thunderbolt.io / demo by default.

[github-actions]

PR Metrics

Metric	Value
Lines changed (prod code)	+41 / -2
JS bundle size (gzipped)	🟢 682.3 KB → 682.1 KB (-191 B, -0.0%)
Test coverage	🟢 78.09% → 78.09% (+0.0%)
Performance (preview)	Preview not ready — Render deploy may have timed out
Accessibility	—
Best Practices	—
SEO	—

Updated Thu, 18 Jun 2026 21:26:48 GMT · run #1954