fix(cli): re-validate SSRF denylist on redirects + harden isPrivateUrl

[vanceingalls]

Summary

• Adds safeFetch, a redirect-aware wrapper around fetch that re-runs the SSRF denylist on every hop before following a redirect.
• Routes fetchBuffer and the Lottie media fetch through safeFetch so redirect chains can't bounce through a public URL to reach an internal or cloud-metadata host.
• Hardens isPrivateUrl to also block 0.0.0.0 / 0.0.0.0/8, IPv6 loopback (::1), IPv4-mapped (::ffff:…), unique-local (fc00::/7), and link-local (fe80::/10) ranges.

Security

F-002 MED — fetchBuffer followed redirects without re-checking the denylist on the destination. A 30x redirect from an allowlisted public URL to 169.254.169.254 or an internal host would succeed, leaking the response to the caller (e.g. captured page assets written to local disk).

F-003 MED — isPrivateUrl did not cover 0.0.0.0 (maps to localhost on most OSes), IPv6 loopback, or IPv6 private ranges. An asset URL using those addresses would bypass the denylist. Alternate IPv4 encodings (decimal/octal/hex) are already normalized to dotted-quad by WHATWG URL parsing and remain blocked.

Test plan

• Unit tests cover redirect-chain blocking (redirect to metadata IP rejected)
• Unit tests cover new isPrivateUrl address forms (0.0.0.0, ::1, fc00::1, fe80::1, ::ffff:192.168.1.1)
• Existing fetch and asset-download tests pass

[vanceingalls]

• fix(core): prevent symlink path traversal in htmlBundler safePath (F-005) #1214
• fix(aws-lambda): validate event S3 URIs against render bucket (F-004) #1213
• fix(cli): re-validate SSRF denylist on redirects + harden isPrivateUrl #1212 👈 (View in Graphite)
• fix(cli): bind studio preview server to loopback by default #1210
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[miguel-heygen]

Review: #1212 — SSRF denylist on redirects + harden isPrivateUrl

Solid hardening. Notes:

isPrivateUrl

• Protocol check moved to top — file://, ftp://, etc. are now blocked before hostname parsing. ✓
• 0.0.0.0/8 block added (was missing before, maps to localhost on some kernels). ✓
• 127.0.0.0/8 block is now correct (covers all of loopback, not just 127.0.0.1). ✓
• WHATWG URL canonicalization means decimal/hex/octal IPv4 like http://2130706433/ and http://0x7f000001/ are already normalized to dotted-quad before isPrivateIpv4 sees them. The tests confirm this assumption. ✓

safeFetch

• Manual redirect loop with redirect: "manual" re-runs isPrivateUrl on every Location header. This is the correct approach — redirect: "follow" would bypass the check on subsequent hops. ✓
• MAX_FETCH_REDIRECTS=5 is a reasonable cap.
• One potential issue: new URL(loc, current) will throw if loc is malformed. Wrapping that in try/catch and returning null would be safer, otherwise a redirect to a malformed Location surfaces as an unhandled exception rather than a null return.

fetchBuffer / saveLottieAnimations

• Both callsites switched to safeFetch. ✓
• if (!res || !res.ok) correctly handles the null return. ✓

Minor nit on the redirect resolve: add a try/catch around new URL(loc, current). Otherwise LGTM.

[miguel-heygen]

One actionable item before merging: in safeFetch, the redirect resolution via new URL(loc, current) can throw if the Location header is malformed. That would surface as an unhandled exception rather than a clean null return. Please wrap it in try/catch and return null on parse failure.

[vanceingalls]

The try/catch around new URL(loc, current) was added in the same PR (see safeFetch lines 335–339 in assetDownloader.ts). Malformed Location headers now return null cleanly. This should resolve the change request.

The base branch was changed.

[graphite-app]

Merge activity

• Jun 5, 9:50 PM UTC: Graphite rebased this pull request, because this pull request is set to merge when ready.
• Jun 6, 12:01 AM UTC: @vanceingalls merged this pull request with Graphite.