fix(security): also block IPv4-compatible IPv6 with Class E embedded IPv4

waleedlatif1 · waleedlatif1 · commit 91b64775a670 · 2026-05-05T20:47:30.000-07:00
diff --git a/apps/sim/lib/core/security/input-validation.server.ts b/apps/sim/lib/core/security/input-validation.server.ts
@@ -44,7 +44,7 @@ export function isPrivateOrReservedIP(ip: string): boolean {
       const v6 = addr as ipaddr.IPv6
       const parts = v6.parts
       const firstSixZero = parts.slice(0, 6).every((p) => p === 0)
-      if (firstSixZero && parts[6] !== 0xffff) {
+      if (firstSixZero) {
         const embedded = ipaddr.fromByteArray([
           (parts[6] >> 8) & 0xff,
           parts[6] & 0xff,
diff --git a/apps/sim/lib/core/security/input-validation.test.ts b/apps/sim/lib/core/security/input-validation.test.ts
@@ -645,6 +645,15 @@ describe('isPrivateOrReservedIP', () => {
     ])('allows IPv4-compatible IPv6 with embedded public IPv4 %s — %s', (ip) => {
       expect(isPrivateOrReservedIP(ip)).toBe(false)
     })
+
+    it.concurrent.each([
+      ['::ffff:1', 'embedded 255.255.0.1 (Class E reserved) via parts[6]=0xffff'],
+      ['::ffff:0', 'embedded 255.255.0.0 (Class E reserved)'],
+      ['::ffff:abcd', 'embedded 255.255.171.205 (Class E reserved)'],
+      ['::f000:1', 'embedded 240.0.0.1 (Class E reserved)'],
+    ])('blocks IPv4-compatible IPv6 with Class E embedded IPv4 %s — %s', (ip) => {
+      expect(isPrivateOrReservedIP(ip)).toBe(true)
+    })
   })
 
   describe('non-IPv4-compat unicast IPv6 (must not over-block)', () => {
