From 9a07619b894ae6b2bbecd0681f40e5cf9ccff5c3 Mon Sep 17 00:00:00 2001
From: GitHub Actions <actions@github.com>
Date: Wed, 18 Mar 2026 19:08:55 +0000
Subject: [PATCH] fix: assert cloud-metadata error and no raw IPv6 leak for
 mapped metadata IP

---
 backend/internal/security/url_validator_test.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/backend/internal/security/url_validator_test.go b/backend/internal/security/url_validator_test.go
index 240c4c50..fc7e6019 100644
--- a/backend/internal/security/url_validator_test.go
+++ b/backend/internal/security/url_validator_test.go
@@ -1185,4 +1185,12 @@ func TestValidateExternalURL_WithAllowRFC1918_IPv4MappedMetadataBlocked(t *testi
 	if err == nil {
 		t.Fatal("expected IPv4-mapped metadata address to be blocked, got nil")
 	}
+	// Must produce the cloud-metadata-specific error, not the generic private-IP error.
+	if !strings.Contains(err.Error(), "cloud metadata") {
+		t.Errorf("expected cloud metadata error, got: %v", err)
+	}
+	// The raw mapped form must not be leaked in the error message.
+	if strings.Contains(err.Error(), "::ffff:") {
+		t.Errorf("error message leaks raw IPv4-mapped form: %v", err)
+	}
 }