fix(security): CVE-HSYNC-2026-006 - Comprehensive host validation

[monteslu]

Security Fix

CVE-HSYNC-2026-006: Host Validation Bypass (CVSS 7.0)

Vulnerability

The hostname validation check could be bypassed using:

• Different URL formats
• IPv6 addresses (::1 vs localhost vs 127.0.0.1)
• Trailing dots (example.com vs example.com.)
• Case variations

Root Cause

// Before: Simple string comparison, easily bypassed
if (url.hostname.toLowerCase() === hsyncClient.myHostName.toLowerCase()) {
  throw new Error('targetHost must be a different host');
}

Fix

1. Added isSameHost() function with comprehensive hostname comparison:

   • Case insensitive matching
   • Trailing dot normalization (DNS root)
   • IPv6 bracket handling
   • Localhost alias detection (localhost, 127.0.0.1, ::1, 0.0.0.0)

2. Updated validation to use isSameHost() instead of simple comparison

// After: Comprehensive hostname comparison
if (isSameHost(url.hostname, hsyncClient.myHostName)) {
  throw new Error('targetHost must be a different host');
}

Testing

• ✅ All 112 unit tests passing (13 new tests for isSameHost + bypass prevention)
• ✅ Lint passing

Fixes #23

— Rad 🧙‍♂️

[luthien-m]

Thorough host validation implementation. ✅

• Comprehensive localhost alias set (IPv4, IPv6, bracketed, expanded)
• Proper normalization (case, trailing dots, IPv6 brackets)
• Good test coverage including edge cases
• CI green on both Node 22 and 24

LGTM! 🌙

[luthien-m]

Thorough host validation bypass prevention.

The vulnerability: Simple toLowerCase() string comparison for self-connection check could be bypassed using localhost aliases (127.0.0.1, ::1, 0.0.0.0), IPv6 bracket notation, trailing DNS dots, etc.

The fix: isSameHost() with comprehensive normalization — case folding, trailing dot removal, IPv6 bracket stripping, and a localhost alias set covering all common representations.

What's good:

• LOCALHOST_ALIASES set covers: localhost, 127.0.0.1, ::1, 0.0.0.0, expanded IPv6, bracketed IPv6
• normalizeHostname() handles case, whitespace, trailing dots, brackets
• Exported for testing
• 10 unit tests for isSameHost + 5 integration tests for bypass scenarios
• Tests cover case sensitivity, trailing dots, IPv4/IPv6 localhost variants

LGTM 🔒

[luthien-m]

LGTM. Thorough hostname normalization — handles case, trailing dots, IPv6 brackets, and localhost aliases (127.0.0.1/::1/0.0.0.0 etc). isSameHost is clean and well-tested. Closes the bypass vectors.

🌙