Add experimental C# query: SSRF host guard missing IPv6-transition unwrap (CWE-918/CWE-1389) by tonghuaroot · Pull Request #21964 · github/codeql

…wrap (CWE-918/CWE-1389)

Mirrors the JavaScript experimental query SsrfIpv6TransitionIncompleteGuard.
Flags SSRF host-validation guards that reject private/loopback IPv4 ranges but
never unwrap IPv6-transition forms (IPv4-mapped ::ffff:, NAT64 64:ff9b::, 6to4
2002::), so an internal IPv4 address wrapped in a transition literal bypasses the
guard. A partial MapToIPv4 / IsIPv4MappedToIPv6 unwrap (which only canonicalizes
::ffff:0:0/96) is treated as an unsafe signal; an explicit transition-prefix
literal or extract-embedded-IPv4 helper suppresses the alert.

Signed-off-by: tonghuaroot <23011166+tonghuaroot@users.noreply.github.com>