Fix IPv4-mapped address support

timokoessler · timokoessler · commit 5ac7a4b55fee · 2025-03-20T14:15:51.000+01:00
diff --git a/library/helpers/mapIPv4ToIPv6.test.ts b/library/helpers/mapIPv4ToIPv6.test.ts
@@ -0,0 +1,13 @@
+import * as t from "tap";
+import mapIPv4ToIPv6 from "./mapIPv4ToIPv6";
+
+t.test("it works", async (t) => {
+  t.equal(mapIPv4ToIPv6("127.0.0.0"), "::ffff:127.0.0.0/128");
+  t.equal(mapIPv4ToIPv6("127.0.0.0/8"), "::ffff:127.0.0.0/104");
+  t.equal(mapIPv4ToIPv6("10.0.0.0"), "::ffff:10.0.0.0/128");
+  t.equal(mapIPv4ToIPv6("10.0.0.0/8"), "::ffff:10.0.0.0/104");
+  t.equal(mapIPv4ToIPv6("10.0.0.1"), "::ffff:10.0.0.1/128");
+  t.equal(mapIPv4ToIPv6("10.0.0.1/8"), "::ffff:10.0.0.1/104");
+  t.equal(mapIPv4ToIPv6("192.168.0.0/16"), "::ffff:192.168.0.0/112");
+  t.equal(mapIPv4ToIPv6("172.16.0.0/12"), "::ffff:172.16.0.0/108");
+});
diff --git a/library/helpers/mapIPv4ToIPv6.ts b/library/helpers/mapIPv4ToIPv6.ts
@@ -0,0 +1,14 @@
+/**
+ * Maps an IPv4 address to an IPv6 address.
+ * e.g. 127.0.0.1/8 -> ::ffff:127
+ */
+export default function mapIPv4ToIPv6(ip: string): string {
+  if (!ip.includes("/")) {
+    // No CIDR suffix, assume /32
+    return `::ffff:${ip}/128`;
+  }
+
+  const parts = ip.split("/");
+  const suffix = Number.parseInt(parts[1], 10);
+  return `::ffff:${parts[0]}/${suffix + 96}`;
+}
diff --git a/library/vulnerabilities/ssrf/containsPrivateIPAddress.test.ts b/library/vulnerabilities/ssrf/containsPrivateIPAddress.test.ts
@@ -31,6 +31,9 @@ const publicIPs = [
   "fb00::",
   "fbff:ffff:ffff:ffff:ffff:ffff:ffff:ffff",
   "fec0::",
+  "::ffff:1.2.3.4",
+  "::ffff:172.1.2.3",
+  "::ffff:192.145.0.0",
 ];
 
 const privateIPs = [
@@ -139,6 +142,10 @@ const privateIPs = [
   "::1",
   "::ffff:0.0.0.0",
   "::ffff:127.0.0.1",
+  "::ffff:127.0.0.2",
+  "::ffff:10.0.0.1",
+  "::ffff:172.16.1.2",
+  "::ffff:192.168.2.2",
   "fe80::",
   "fe80::1",
   "fe80::abc:1",
diff --git a/library/vulnerabilities/ssrf/isPrivateIP.ts b/library/vulnerabilities/ssrf/isPrivateIP.ts
@@ -1,4 +1,5 @@
 import { IPMatcher } from "../../helpers/ip-matcher/IPMatcher";
+import mapIPv4ToIPv6 from "../../helpers/mapIPv4ToIPv6";
 
 const PRIVATE_IP_RANGES = [
   "0.0.0.0/8", // "This" network (RFC 1122)
@@ -27,12 +28,14 @@ const PRIVATE_IPV6_RANGES = [
   "::1/128", // Loopback address (RFC 4291)
   "fc00::/7", // Unique local address (ULA) (RFC 4193)
   "fe80::/10", // Link-local address (LLA) (RFC 4291)
-  "::ffff:127.0.0.1/128", // IPv4-mapped address (RFC 4291)
-  "::ffff:0:0",
   "100::/64", // Discard prefix (RFC 6666)
   "2001:db8::/32", // Documentation prefix (RFC 3849)
   "3fff::/20", // Documentation prefix (RFC 9637)
-];
+  "::ffff:0:0",
+].concat(
+  // Add the IPv4-mapped IPv6 addresses
+  PRIVATE_IP_RANGES.map(mapIPv4ToIPv6)
+);
 
 const privateIp = new IPMatcher();
 
