fix(sap_s4hana): catch hex-form IPv4-mapped IPv6 in SSRF check

waleedlatif1 · claude · waleedlatif1 · commit ff6b4c27db99 · 2026-04-27T09:48:47.000-07:00
The WHATWG URL parser normalizes IPv4-mapped IPv6 addresses to hex form
(e.g. [::ffff:169.254.169.254] → [::ffff:a9fe:a9fe]), which slipped past
the dotted-decimal-only extractor. Decode the trailing two 16-bit hex
groups back into IPv4 octets and run them through isPrivateIPv4. Also
add isPrivateOrLoopbackIPv6 so pure IPv6 loopback (::, ::1), unique
local addresses (fc00::/7), and link-local (fe80::/10) cannot be reached.

Co-Authored-By: Claude Opus 4.7 &lt;noreply@anthropic.com&gt;
diff --git a/apps/sim/app/api/tools/sap_s4hana/proxy/route.ts b/apps/sim/app/api/tools/sap_s4hana/proxy/route.ts
@@ -205,16 +205,36 @@ function isPrivateIPv4(host: string): boolean {
 function extractIPv4MappedHost(host: string): string | null {
   const stripped = host.startsWith('[') && host.endsWith(']') ? host.slice(1, -1) : host
   const lower = stripped.toLowerCase()
-  const prefixes = ['::ffff:', '::']
-  for (const prefix of prefixes) {
+  for (const prefix of ['::ffff:', '::']) {
     if (lower.startsWith(prefix)) {
       const candidate = lower.slice(prefix.length)
       if (/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(candidate)) return candidate
     }
   }
+  const hexMatch = lower.match(/^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/)
+  if (hexMatch) {
+    const high = Number.parseInt(hexMatch[1] as string, 16)
+    const low = Number.parseInt(hexMatch[2] as string, 16)
+    if (high >= 0 && high <= 0xffff && low >= 0 && low <= 0xffff) {
+      const a = (high >> 8) & 0xff
+      const b = high & 0xff
+      const c = (low >> 8) & 0xff
+      const d = low & 0xff
+      return `${a}.${b}.${c}.${d}`
+    }
+  }
   return null
 }
 
+function isPrivateOrLoopbackIPv6(host: string): boolean {
+  const stripped = host.startsWith('[') && host.endsWith(']') ? host.slice(1, -1) : host
+  const lower = stripped.toLowerCase()
+  if (lower === '::' || lower === '::1') return true
+  if (/^fc[0-9a-f]{2}:/.test(lower) || /^fd[0-9a-f]{2}:/.test(lower)) return true
+  if (lower.startsWith('fe80:')) return true
+  return false
+}
+
 function checkExternalUrlSafety(
   rawUrl: string,
   label: string
@@ -239,6 +259,9 @@ function checkExternalUrlSafety(
   if (mapped && isPrivateIPv4(mapped)) {
     return { ok: false, message: `${label} host is not allowed (IPv4-mapped private range)` }
   }
+  if (isPrivateOrLoopbackIPv6(host)) {
+    return { ok: false, message: `${label} host is not allowed (IPv6 private/loopback)` }
+  }
   return { ok: true, url: parsed }
 }
 
