From 61acc99cf3208f2b0c8920fdaf92cbcca70d3686 Mon Sep 17 00:00:00 2001
From: Autowebassat-blip <autowebassat@gmail.com>
Date: Fri, 12 Jun 2026 05:08:05 +0200
Subject: [PATCH] Block IPv6 unspecified feed URLs

---
 plugins/feed-discovery/src/feed-discovery.test.ts | 1 +
 plugins/feed-discovery/src/url-safety.ts          | 1 +
 2 files changed, 2 insertions(+)

diff --git a/plugins/feed-discovery/src/feed-discovery.test.ts b/plugins/feed-discovery/src/feed-discovery.test.ts
index 3efd069..f2c4383 100644
--- a/plugins/feed-discovery/src/feed-discovery.test.ts
+++ b/plugins/feed-discovery/src/feed-discovery.test.ts
@@ -50,6 +50,7 @@ describe("site probing helpers", () => {
 
   it("blocks private SSRF targets", async () => {
     await expect(assertSafeHttpUrl("http://127.0.0.1/feed")).rejects.toThrow(/Blocked internal/);
+    await expect(assertSafeHttpUrl("http://[::]/feed")).rejects.toThrow(/Blocked internal/);
     await expect(assertSafeHttpUrl("http://[::ffff:192.168.1.10]/feed")).rejects.toThrow(/Blocked internal/);
     await expect(assertSafeHttpUrl("file:///etc/passwd")).rejects.toThrow(/Unsupported URL protocol/);
   });
diff --git a/plugins/feed-discovery/src/url-safety.ts b/plugins/feed-discovery/src/url-safety.ts
index c2e6d25..4bde9cb 100644
--- a/plugins/feed-discovery/src/url-safety.ts
+++ b/plugins/feed-discovery/src/url-safety.ts
@@ -78,6 +78,7 @@ function isBlockedIp(value: string) {
       return isBlockedIp(`${high >> 8}.${high & 255}.${low >> 8}.${low & 255}`);
     }
     return (
+      normalized === "::" ||
       normalized === "::1" ||
       normalized.startsWith("fc") ||
       normalized.startsWith("fd") ||