From 3099d74b286eedcb1dda4939af5e29aaef47b807 Mon Sep 17 00:00:00 2001
From: GitHub Actions <actions@github.com>
Date: Wed, 18 Mar 2026 17:23:53 +0000
Subject: [PATCH] fix: ensure cloud metadata SSRF error is consistent for
 IPv4-mapped addresses

---
 backend/internal/security/url_validator.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/backend/internal/security/url_validator.go b/backend/internal/security/url_validator.go
index fa368925..0104e57d 100644
--- a/backend/internal/security/url_validator.go
+++ b/backend/internal/security/url_validator.go
@@ -294,6 +294,11 @@ func ValidateExternalURL(rawURL string, options ...ValidationOption) (string, er
 					continue
 				}
 				if network.IsPrivateIP(ipv4) {
+					// Cloud metadata endpoint must produce the specific error even
+					// when the address arrives as an IPv4-mapped IPv6 value.
+					if ipv4.String() == "169.254.169.254" {
+						return "", fmt.Errorf("access to cloud metadata endpoints is blocked for security (detected: %s)", sanitizeIPForError(ipv4.String()))
+					}
 					return "", fmt.Errorf("connection to private ip addresses is blocked for security (detected IPv4-mapped IPv6: %s)", ip.String())
 				}
 			}