Add experimental query: SSRF host guard missing IPv6-transition unwrap (CWE-918/CWE-1389) by tonghuaroot · Pull Request #21950 · github/codeql
Add javascript/ssrf-ipv6-transition-incomplete-guard, an experimental @kind problem query that flags hand-rolled SSRF host guards which reject private/loopback IPv4 ranges but never unwrap IPv6-transition forms (IPv4-mapped ::ffff:, NAT64 64:ff9b::, 6to4 2002::). Such guards can be bypassed by wrapping an internal IPv4 address in a transition literal. Includes a .qhelp with good/bad examples, a change note, and a test pack with two true-positive fixtures (private-ip package guard and a hand-written RFC 1918 denylist) and two negative-control fixtures (ipaddr.js range classifier and an explicit ::ffff: unwrap). Signed-off-by: tonghuaroot <23011166+tonghuaroot@users.noreply.github.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Fix the JS integration test failure flagged in review by listing the new experimental CWE-918 query in the expected not-included-in-qls suite, in sorted order.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters