@fedify/vocab-runtime 2.3.0-dev.1190 → 2.3.0-dev.1213

package/dist/tests/url-m9Qzxy-Y.mjs

@@ -0,0 +1,176 @@
+import { lookup } from "node:dns/promises";
+import { isIP } from "node:net";
+//#region src/url.ts
+var UrlError = class extends Error {
+	constructor(message) {
+		super(message);
+		this.name = "UrlError";
+	}
+};
+/**
+* Validates a URL to prevent SSRF attacks.
+*/
+async function validatePublicUrl(url) {
+	const parsed = new URL(url);
+	if (parsed.protocol !== "http:" && parsed.protocol !== "https:") throw new UrlError(`Unsupported protocol: ${parsed.protocol}`);
+	let hostname = parsed.hostname;
+	if (hostname.startsWith("[") && hostname.endsWith("]")) hostname = hostname.slice(1, -1);
+	if (hostname === "localhost") throw new UrlError("Localhost is not allowed");
+	const hostnameFamily = isIP(hostname);
+	if (hostnameFamily !== 0) {
+		validatePublicIpAddress(hostname, hostnameFamily);
+		return;
+	}
+	if ("Deno" in globalThis && !isIP(hostname)) {
+		if ((await Deno.permissions.query({ name: "net" })).state !== "granted") return;
+	}
+	if ("Bun" in globalThis) {
+		if (hostname === "example.com" || hostname.endsWith(".example.com")) return;
+		else if (hostname === "fedify-test.internal") throw new UrlError("Invalid or private address: fedify-test.internal");
+	}
+	let addresses;
+	try {
+		addresses = await lookup(hostname, { all: true });
+	} catch {
+		addresses = [];
+	}
+	for (const { address, family } of addresses) validatePublicIpAddress(address, family);
+}
+function validatePublicIpAddress(address, family) {
+	if (family === 4 && isValidPublicIPv4Address(address) || family === 6 && isValidPublicIPv6Address(address)) return;
+	throw new UrlError(`Invalid or private address: ${address}`);
+}
+function isValidPublicIPv4Address(address) {
+	const parts = parseIPv4Address(address);
+	if (parts == null) return false;
+	const value = ipv4PartsToNumber(parts);
+	return !nonPublicIPv4Prefixes.some(({ base, prefix }) => matchesIPv4Prefix(value, base, prefix));
+}
+function isValidPublicIPv6Address(address) {
+	const words = parseIPv6Address(address);
+	if (words == null) return false;
+	if (nonPublicIPv6Prefixes.some(({ words: prefixWords, prefix }) => matchesIPv6Prefix(words, prefixWords, prefix))) return false;
+	for (const { extractIPv4, prefix, words: prefixWords } of ipv6WithIPv4Prefixes) {
+		if (!matchesIPv6Prefix(words, prefixWords, prefix)) continue;
+		const ipv4Address = extractIPv4(words);
+		if (ipv4Address != null && !isValidPublicIPv4Address(ipv4Address)) return false;
+	}
+	return true;
+}
+function expandIPv6Address(address) {
+	address = address.toLowerCase();
+	const ipv4Delimiter = address.lastIndexOf(":");
+	if (address.includes(".") && ipv4Delimiter >= 0) {
+		const ipv4Parts = parseIPv4Address(address.substring(ipv4Delimiter + 1));
+		if (ipv4Parts == null) return address;
+		const high = (ipv4Parts[0] << 8) + ipv4Parts[1];
+		const low = (ipv4Parts[2] << 8) + ipv4Parts[3];
+		address = address.substring(0, ipv4Delimiter + 1) + high.toString(16) + ":" + low.toString(16);
+	}
+	if (address === "::") return "0000:0000:0000:0000:0000:0000:0000:0000";
+	if (address.startsWith("::")) address = "0000" + address;
+	if (address.endsWith("::")) address = address + "0000";
+	address = address.replace("::", ":0000".repeat(8 - (address.match(/:/g) || []).length) + ":");
+	return address.split(":").map((part) => part.padStart(4, "0")).join(":");
+}
+const nonPublicIPv4Prefixes = [
+	ipv4Prefix("0.0.0.0/8", "RFC 6890"),
+	ipv4Prefix("10.0.0.0/8", "RFC 1918"),
+	ipv4Prefix("100.64.0.0/10", "RFC 6598"),
+	ipv4Prefix("127.0.0.0/8", "RFC 1122"),
+	ipv4Prefix("169.254.0.0/16", "RFC 3927"),
+	ipv4Prefix("172.16.0.0/12", "RFC 1918"),
+	ipv4Prefix("192.0.0.0/24", "RFC 6890"),
+	ipv4Prefix("192.0.2.0/24", "RFC 5737"),
+	ipv4Prefix("192.88.99.0/24", "RFC 7526"),
+	ipv4Prefix("192.168.0.0/16", "RFC 1918"),
+	ipv4Prefix("198.18.0.0/15", "RFC 2544"),
+	ipv4Prefix("198.51.100.0/24", "RFC 5737"),
+	ipv4Prefix("203.0.113.0/24", "RFC 5737"),
+	ipv4Prefix("224.0.0.0/4", "RFC 5771"),
+	ipv4Prefix("240.0.0.0/4", "RFC 1112")
+];
+const nonPublicIPv6Prefixes = [
+	ipv6Prefix("::/16", "RFC 4291"),
+	ipv6Prefix("2001::/32", "RFC 4380"),
+	ipv6Prefix("2002::/16", "RFC 3056"),
+	ipv6Prefix("64:ff9b:1::/48", "RFC 8215"),
+	ipv6Prefix("fc00::/7", "RFC 4193"),
+	ipv6Prefix("fe80::/10", "RFC 4291"),
+	ipv6Prefix("ff00::/8", "RFC 4291")
+];
+const ipv6WithIPv4Prefixes = [{
+	...ipv6Prefix("64:ff9b::/96", "RFC 6052"),
+	extractIPv4: (words) => ipv4FromWords(words[6], words[7])
+}];
+function ipv4Prefix(cidr, rfc) {
+	const [address, prefixText] = cidr.split("/");
+	const prefix = parseInt(prefixText, 10);
+	const parts = parseIPv4Address(address);
+	if (parts == null || !Number.isInteger(prefix) || prefix < 0 || prefix > 32) throw new Error(`Invalid IPv4 prefix: ${cidr}`);
+	return {
+		cidr,
+		base: ipv4PartsToNumber(parts),
+		prefix,
+		rfc
+	};
+}
+function ipv6Prefix(cidr, rfc) {
+	const [address, prefixText] = cidr.split("/");
+	const prefix = parseInt(prefixText, 10);
+	const words = parseIPv6Address(address);
+	if (words == null || !Number.isInteger(prefix) || prefix < 0 || prefix > 128) throw new Error(`Invalid IPv6 prefix: ${cidr}`);
+	return {
+		cidr,
+		words,
+		prefix,
+		rfc
+	};
+}
+function parseIPv4Address(address) {
+	const parts = address.split(".").map((part) => {
+		if (!/^\d+$/.test(part)) return NaN;
+		return parseInt(part, 10);
+	});
+	if (parts.length !== 4 || parts.some((part) => !Number.isInteger(part) || part < 0 || part > 255)) return null;
+	return parts;
+}
+function parseIPv6Address(address) {
+	const parts = expandIPv6Address(address).split(":");
+	if (parts.length !== 8) return null;
+	const words = parts.map((part) => {
+		if (!/^[0-9a-f]{1,4}$/i.test(part)) return NaN;
+		return parseInt(part, 16);
+	});
+	if (words.some((word) => !Number.isInteger(word) || word < 0 || word > 65535)) return null;
+	return words;
+}
+function ipv4PartsToNumber(parts) {
+	return parts[0] * 2 ** 24 + parts[1] * 2 ** 16 + parts[2] * 2 ** 8 + parts[3];
+}
+function ipv4FromWords(highWord, lowWord) {
+	return [
+		highWord >> 8,
+		highWord & 255,
+		lowWord >> 8,
+		lowWord & 255
+	].join(".");
+}
+function matchesIPv4Prefix(address, prefixBase, prefixLength) {
+	const blockSize = 2 ** (32 - prefixLength);
+	return Math.floor(address / blockSize) === Math.floor(prefixBase / blockSize);
+}
+function matchesIPv6Prefix(address, prefixWords, prefixLength) {
+	let remaining = prefixLength;
+	for (let i = 0; i < 8 && remaining > 0; i++) if (remaining >= 16) {
+		if (address[i] !== prefixWords[i]) return false;
+		remaining -= 16;
+	} else {
+		const mask = 65535 << 16 - remaining & 65535;
+		if ((address[i] & mask) !== (prefixWords[i] & mask)) return false;
+		remaining = 0;
+	}
+	return true;
+}
+//#endregion
+export { validatePublicUrl as a, isValidPublicIPv6Address as i, expandIPv6Address as n, isValidPublicIPv4Address as r, UrlError as t };

package/dist/tests/url.test.cjs

@@ -1,5 +1,5 @@
 require("./chunk-C2EiDwsr.cjs");
-const require_url = require("./url-CEmGms8t.cjs");
+const require_url = require("./url-C20FhC7p.cjs");
 let node_assert = require("node:assert");
 let node_test = require("node:test");
 //#region src/url.test.ts
@@ -10,7 +10,24 @@ let node_test = require("node:test");
 	await (0, node_assert.rejects)(() => require_url.validatePublicUrl("https://127.0.0.1"), require_url.UrlError);
 	await (0, node_assert.rejects)(() => require_url.validatePublicUrl("https://[::1]"), require_url.UrlError);
 	await (0, node_assert.rejects)(() => require_url.validatePublicUrl("http://[::ffff:7f00:1]/"), require_url.UrlError);
+	await (0, node_assert.rejects)(() => require_url.validatePublicUrl("https://[64:ff9b::7f00:1]/"), require_url.UrlError);
+	await (0, node_assert.rejects)(() => require_url.validatePublicUrl("https://[64:ff9b::a00:1]/"), require_url.UrlError);
+	await (0, node_assert.rejects)(() => require_url.validatePublicUrl("https://[64:ff9b:1::a00:1]/"), require_url.UrlError);
+	await (0, node_assert.rejects)(() => require_url.validatePublicUrl("https://[64:ff9b:1::808:808]/"), require_url.UrlError);
+	await (0, node_assert.rejects)(() => require_url.validatePublicUrl("https://[2001::]/"), require_url.UrlError);
+	await (0, node_assert.rejects)(() => require_url.validatePublicUrl("https://[2002:a00:1::]/"), require_url.UrlError);
+	for (const url of [
+		"https://100.64.0.1",
+		"https://198.18.0.1",
+		"https://224.0.0.1",
+		"https://240.0.0.1",
+		"https://192.0.2.1",
+		"https://192.88.99.1",
+		"https://198.51.100.1",
+		"https://203.0.113.1"
+	]) await (0, node_assert.rejects)(() => require_url.validatePublicUrl(url), require_url.UrlError);
 	await require_url.validatePublicUrl("https://[2001:db8::1]");
+	await require_url.validatePublicUrl("https://[64:ff9b::8.8.8.8]");
 });
 (0, node_test.test)("isValidPublicIPv4Address()", () => {
 	(0, node_assert.ok)(require_url.isValidPublicIPv4Address("8.8.8.8"));
@@ -19,6 +36,24 @@ let node_test = require("node:test");
 	(0, node_assert.ok)(!require_url.isValidPublicIPv4Address("10.0.0.1"));
 	(0, node_assert.ok)(!require_url.isValidPublicIPv4Address("127.16.0.1"));
 	(0, node_assert.ok)(!require_url.isValidPublicIPv4Address("169.254.0.1"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv4Address("100.64.0.1"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv4Address("100.127.255.255"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv4Address("192.0.0.1"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv4Address("192.0.2.1"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv4Address("192.88.99.0"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv4Address("192.88.99.1"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv4Address("192.88.99.2"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv4Address("192.88.99.255"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv4Address("198.18.0.1"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv4Address("198.19.255.255"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv4Address("198.51.100.1"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv4Address("203.0.113.1"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv4Address("224.0.0.1"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv4Address("239.255.255.255"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv4Address("240.0.0.1"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv4Address("255.255.255.255"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv4Address("1.2.3"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv4Address("999.1.1.1"));
 });
 (0, node_test.test)("isValidPublicIPv6Address()", () => {
 	(0, node_assert.ok)(require_url.isValidPublicIPv6Address("2001:db8::1"));
@@ -28,11 +63,27 @@ let node_test = require("node:test");
 	(0, node_assert.ok)(!require_url.isValidPublicIPv6Address("ff00::1"));
 	(0, node_assert.ok)(!require_url.isValidPublicIPv6Address("::"));
 	(0, node_assert.ok)(!require_url.isValidPublicIPv6Address("::ffff:7f00:1"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv6Address("64:ff9b::7f00:1"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv6Address("64:ff9b::127.0.0.1"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv6Address("64:ff9b::a00:1"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv6Address("64:ff9b::10.0.0.1"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv6Address("64:ff9b:1::"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv6Address("64:ff9b:1::a00:1"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv6Address("64:ff9b:1::10.0.0.1"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv6Address("2001::"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv6Address("2001:0:4136:e378:8000:63bf:3fff:fdd2"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv6Address("2002:a00:1::"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv6Address("2002:7f00:1::"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv6Address("2002:c0a8:1::"));
+	(0, node_assert.ok)(!require_url.isValidPublicIPv6Address("2002:a9fe:1::"));
+	(0, node_assert.ok)(require_url.isValidPublicIPv6Address("64:ff9b::808:808"));
+	(0, node_assert.ok)(require_url.isValidPublicIPv6Address("64:ff9b::8.8.8.8"));
 });
 (0, node_test.test)("expandIPv6Address()", () => {
 	(0, node_assert.deepStrictEqual)(require_url.expandIPv6Address("::"), "0000:0000:0000:0000:0000:0000:0000:0000");
 	(0, node_assert.deepStrictEqual)(require_url.expandIPv6Address("::1"), "0000:0000:0000:0000:0000:0000:0000:0001");
 	(0, node_assert.deepStrictEqual)(require_url.expandIPv6Address("2001:db8::"), "2001:0db8:0000:0000:0000:0000:0000:0000");
 	(0, node_assert.deepStrictEqual)(require_url.expandIPv6Address("2001:db8::1"), "2001:0db8:0000:0000:0000:0000:0000:0001");
+	(0, node_assert.deepStrictEqual)(require_url.expandIPv6Address("64:ff9b::8.8.8.8"), "0064:ff9b:0000:0000:0000:0000:0808:0808");
 });
 //#endregion

package/dist/tests/url.test.mjs

@@ -1,4 +1,4 @@
-import { a as validatePublicUrl, i as isValidPublicIPv6Address, n as expandIPv6Address, r as isValidPublicIPv4Address, t as UrlError } from "./url-BzGwIxB4.mjs";
+import { a as validatePublicUrl, i as isValidPublicIPv6Address, n as expandIPv6Address, r as isValidPublicIPv4Address, t as UrlError } from "./url-m9Qzxy-Y.mjs";
 import { deepStrictEqual, ok, rejects } from "node:assert";
 import { test } from "node:test";
 //#region src/url.test.ts
@@ -9,7 +9,24 @@ test("validatePublicUrl()", async () => {
 	await rejects(() => validatePublicUrl("https://127.0.0.1"), UrlError);
 	await rejects(() => validatePublicUrl("https://[::1]"), UrlError);
 	await rejects(() => validatePublicUrl("http://[::ffff:7f00:1]/"), UrlError);
+	await rejects(() => validatePublicUrl("https://[64:ff9b::7f00:1]/"), UrlError);
+	await rejects(() => validatePublicUrl("https://[64:ff9b::a00:1]/"), UrlError);
+	await rejects(() => validatePublicUrl("https://[64:ff9b:1::a00:1]/"), UrlError);
+	await rejects(() => validatePublicUrl("https://[64:ff9b:1::808:808]/"), UrlError);
+	await rejects(() => validatePublicUrl("https://[2001::]/"), UrlError);
+	await rejects(() => validatePublicUrl("https://[2002:a00:1::]/"), UrlError);
+	for (const url of [
+		"https://100.64.0.1",
+		"https://198.18.0.1",
+		"https://224.0.0.1",
+		"https://240.0.0.1",
+		"https://192.0.2.1",
+		"https://192.88.99.1",
+		"https://198.51.100.1",
+		"https://203.0.113.1"
+	]) await rejects(() => validatePublicUrl(url), UrlError);
 	await validatePublicUrl("https://[2001:db8::1]");
+	await validatePublicUrl("https://[64:ff9b::8.8.8.8]");
 });
 test("isValidPublicIPv4Address()", () => {
 	ok(isValidPublicIPv4Address("8.8.8.8"));
@@ -18,6 +35,24 @@ test("isValidPublicIPv4Address()", () => {
 	ok(!isValidPublicIPv4Address("10.0.0.1"));
 	ok(!isValidPublicIPv4Address("127.16.0.1"));
 	ok(!isValidPublicIPv4Address("169.254.0.1"));
+	ok(!isValidPublicIPv4Address("100.64.0.1"));
+	ok(!isValidPublicIPv4Address("100.127.255.255"));
+	ok(!isValidPublicIPv4Address("192.0.0.1"));
+	ok(!isValidPublicIPv4Address("192.0.2.1"));
+	ok(!isValidPublicIPv4Address("192.88.99.0"));
+	ok(!isValidPublicIPv4Address("192.88.99.1"));
+	ok(!isValidPublicIPv4Address("192.88.99.2"));
+	ok(!isValidPublicIPv4Address("192.88.99.255"));
+	ok(!isValidPublicIPv4Address("198.18.0.1"));
+	ok(!isValidPublicIPv4Address("198.19.255.255"));
+	ok(!isValidPublicIPv4Address("198.51.100.1"));
+	ok(!isValidPublicIPv4Address("203.0.113.1"));
+	ok(!isValidPublicIPv4Address("224.0.0.1"));
+	ok(!isValidPublicIPv4Address("239.255.255.255"));
+	ok(!isValidPublicIPv4Address("240.0.0.1"));
+	ok(!isValidPublicIPv4Address("255.255.255.255"));
+	ok(!isValidPublicIPv4Address("1.2.3"));
+	ok(!isValidPublicIPv4Address("999.1.1.1"));
 });
 test("isValidPublicIPv6Address()", () => {
 	ok(isValidPublicIPv6Address("2001:db8::1"));
@@ -27,12 +62,28 @@ test("isValidPublicIPv6Address()", () => {
 	ok(!isValidPublicIPv6Address("ff00::1"));
 	ok(!isValidPublicIPv6Address("::"));
 	ok(!isValidPublicIPv6Address("::ffff:7f00:1"));
+	ok(!isValidPublicIPv6Address("64:ff9b::7f00:1"));
+	ok(!isValidPublicIPv6Address("64:ff9b::127.0.0.1"));
+	ok(!isValidPublicIPv6Address("64:ff9b::a00:1"));
+	ok(!isValidPublicIPv6Address("64:ff9b::10.0.0.1"));
+	ok(!isValidPublicIPv6Address("64:ff9b:1::"));
+	ok(!isValidPublicIPv6Address("64:ff9b:1::a00:1"));
+	ok(!isValidPublicIPv6Address("64:ff9b:1::10.0.0.1"));
+	ok(!isValidPublicIPv6Address("2001::"));
+	ok(!isValidPublicIPv6Address("2001:0:4136:e378:8000:63bf:3fff:fdd2"));
+	ok(!isValidPublicIPv6Address("2002:a00:1::"));
+	ok(!isValidPublicIPv6Address("2002:7f00:1::"));
+	ok(!isValidPublicIPv6Address("2002:c0a8:1::"));
+	ok(!isValidPublicIPv6Address("2002:a9fe:1::"));
+	ok(isValidPublicIPv6Address("64:ff9b::808:808"));
+	ok(isValidPublicIPv6Address("64:ff9b::8.8.8.8"));
 });
 test("expandIPv6Address()", () => {
 	deepStrictEqual(expandIPv6Address("::"), "0000:0000:0000:0000:0000:0000:0000:0000");
 	deepStrictEqual(expandIPv6Address("::1"), "0000:0000:0000:0000:0000:0000:0000:0001");
 	deepStrictEqual(expandIPv6Address("2001:db8::"), "2001:0db8:0000:0000:0000:0000:0000:0000");
 	deepStrictEqual(expandIPv6Address("2001:db8::1"), "2001:0db8:0000:0000:0000:0000:0000:0001");
+	deepStrictEqual(expandIPv6Address("64:ff9b::8.8.8.8"), "0064:ff9b:0000:0000:0000:0000:0808:0808");
 });
 //#endregion
 export {};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fedify/vocab-runtime",
-  "version": "2.3.0-dev.1190+2dfa46e0",
+  "version": "2.3.0-dev.1213+8ffffeb8",
   "homepage": "https://fedify.dev/",
   "repository": {
     "type": "git",

package/src/url.test.ts

@@ -23,7 +23,46 @@ test("validatePublicUrl()", async () => {
     () => validatePublicUrl("http://[::ffff:7f00:1]/"),
     UrlError,
   );
+  await rejects(
+    () => validatePublicUrl("https://[64:ff9b::7f00:1]/"),
+    UrlError,
+  );
+  await rejects(
+    () => validatePublicUrl("https://[64:ff9b::a00:1]/"),
+    UrlError,
+  );
+  await rejects(
+    () => validatePublicUrl("https://[64:ff9b:1::a00:1]/"),
+    UrlError,
+  );
+  await rejects(
+    () => validatePublicUrl("https://[64:ff9b:1::808:808]/"),
+    UrlError,
+  );
+  await rejects(
+    () => validatePublicUrl("https://[2001::]/"),
+    UrlError,
+  );
+  await rejects(
+    () => validatePublicUrl("https://[2002:a00:1::]/"),
+    UrlError,
+  );
+  for (
+    const url of [
+      "https://100.64.0.1",
+      "https://198.18.0.1",
+      "https://224.0.0.1",
+      "https://240.0.0.1",
+      "https://192.0.2.1",
+      "https://192.88.99.1",
+      "https://198.51.100.1",
+      "https://203.0.113.1",
+    ]
+  ) {
+    await rejects(() => validatePublicUrl(url), UrlError);
+  }
   await validatePublicUrl("https://[2001:db8::1]");
+  await validatePublicUrl("https://[64:ff9b::8.8.8.8]");
 });
 
 test("isValidPublicIPv4Address()", () => {
@@ -33,6 +72,24 @@ test("isValidPublicIPv4Address()", () => {
   ok(!isValidPublicIPv4Address("10.0.0.1")); // private
   ok(!isValidPublicIPv4Address("127.16.0.1")); // private
   ok(!isValidPublicIPv4Address("169.254.0.1")); // link-local
+  ok(!isValidPublicIPv4Address("100.64.0.1")); // shared address space
+  ok(!isValidPublicIPv4Address("100.127.255.255"));
+  ok(!isValidPublicIPv4Address("192.0.0.1")); // IETF protocol
+  ok(!isValidPublicIPv4Address("192.0.2.1")); // documentation
+  ok(!isValidPublicIPv4Address("192.88.99.0")); // 6to4 relay anycast
+  ok(!isValidPublicIPv4Address("192.88.99.1"));
+  ok(!isValidPublicIPv4Address("192.88.99.2")); // 6a44 relay anycast
+  ok(!isValidPublicIPv4Address("192.88.99.255"));
+  ok(!isValidPublicIPv4Address("198.18.0.1")); // benchmarking
+  ok(!isValidPublicIPv4Address("198.19.255.255"));
+  ok(!isValidPublicIPv4Address("198.51.100.1")); // documentation
+  ok(!isValidPublicIPv4Address("203.0.113.1")); // documentation
+  ok(!isValidPublicIPv4Address("224.0.0.1")); // multicast
+  ok(!isValidPublicIPv4Address("239.255.255.255"));
+  ok(!isValidPublicIPv4Address("240.0.0.1")); // reserved
+  ok(!isValidPublicIPv4Address("255.255.255.255")); // broadcast
+  ok(!isValidPublicIPv4Address("1.2.3"));
+  ok(!isValidPublicIPv4Address("999.1.1.1"));
 });
 
 test("isValidPublicIPv6Address()", () => {
@@ -43,6 +100,21 @@ test("isValidPublicIPv6Address()", () => {
   ok(!isValidPublicIPv6Address("ff00::1")); // multicast
   ok(!isValidPublicIPv6Address("::")); // unspecified
   ok(!isValidPublicIPv6Address("::ffff:7f00:1")); // IPv4-mapped
+  ok(!isValidPublicIPv6Address("64:ff9b::7f00:1")); // NAT64 localhost
+  ok(!isValidPublicIPv6Address("64:ff9b::127.0.0.1"));
+  ok(!isValidPublicIPv6Address("64:ff9b::a00:1")); // NAT64 private
+  ok(!isValidPublicIPv6Address("64:ff9b::10.0.0.1"));
+  ok(!isValidPublicIPv6Address("64:ff9b:1::")); // local-use NAT64
+  ok(!isValidPublicIPv6Address("64:ff9b:1::a00:1"));
+  ok(!isValidPublicIPv6Address("64:ff9b:1::10.0.0.1"));
+  ok(!isValidPublicIPv6Address("2001::")); // Teredo
+  ok(!isValidPublicIPv6Address("2001:0:4136:e378:8000:63bf:3fff:fdd2"));
+  ok(!isValidPublicIPv6Address("2002:a00:1::")); // 6to4
+  ok(!isValidPublicIPv6Address("2002:7f00:1::"));
+  ok(!isValidPublicIPv6Address("2002:c0a8:1::"));
+  ok(!isValidPublicIPv6Address("2002:a9fe:1::"));
+  ok(isValidPublicIPv6Address("64:ff9b::808:808")); // NAT64 public
+  ok(isValidPublicIPv6Address("64:ff9b::8.8.8.8"));
 });
 
 test("expandIPv6Address()", () => {
@@ -62,4 +134,8 @@ test("expandIPv6Address()", () => {
     expandIPv6Address("2001:db8::1"),
     "2001:0db8:0000:0000:0000:0000:0000:0001",
   );
+  deepStrictEqual(
+    expandIPv6Address("64:ff9b::8.8.8.8"),
+    "0064:ff9b:0000:0000:0000:0000:0808:0808",
+  );
 });

package/src/url.ts

@@ -70,29 +70,45 @@ function validatePublicIpAddress(address: string, family: number): void {
 }
 
 export function isValidPublicIPv4Address(address: string): boolean {
-  const parts = address.split(".");
-  const first = parseInt(parts[0]);
-  if (first === 0 || first === 10 || first === 127) return false;
-  const second = parseInt(parts[1]);
-  if (first === 169 && second === 254) return false;
-  if (first === 172 && second >= 16 && second <= 31) return false;
-  if (first === 192 && second === 168) return false;
-  return true;
+  const parts = parseIPv4Address(address);
+  if (parts == null) return false;
+  const value = ipv4PartsToNumber(parts);
+  return !nonPublicIPv4Prefixes.some(({ base, prefix }) =>
+    matchesIPv4Prefix(value, base, prefix)
+  );
 }
 
 export function isValidPublicIPv6Address(address: string): boolean {
-  address = expandIPv6Address(address);
-  if (address.at(4) !== ":") return false;
-  const firstWord = parseInt(address.substring(0, 4), 16);
-  return !(
-    (firstWord >= 0xfc00 && firstWord <= 0xfdff) || // ULA
-    (firstWord >= 0xfe80 && firstWord <= 0xfebf) || // Link-local
-    firstWord === 0 || firstWord >= 0xff00 // Multicast
-  );
+  const words = parseIPv6Address(address);
+  if (words == null) return false;
+  if (
+    nonPublicIPv6Prefixes.some(({ words: prefixWords, prefix }) =>
+      matchesIPv6Prefix(words, prefixWords, prefix)
+    )
+  ) return false;
+  for (
+    const { extractIPv4, prefix, words: prefixWords } of ipv6WithIPv4Prefixes
+  ) {
+    if (!matchesIPv6Prefix(words, prefixWords, prefix)) continue;
+    const ipv4Address = extractIPv4(words);
+    if (ipv4Address != null && !isValidPublicIPv4Address(ipv4Address)) {
+      return false;
+    }
+  }
+  return true;
 }
 
 export function expandIPv6Address(address: string): string {
   address = address.toLowerCase();
+  const ipv4Delimiter = address.lastIndexOf(":");
+  if (address.includes(".") && ipv4Delimiter >= 0) {
+    const ipv4Parts = parseIPv4Address(address.substring(ipv4Delimiter + 1));
+    if (ipv4Parts == null) return address;
+    const high = (ipv4Parts[0] << 8) + ipv4Parts[1];
+    const low = (ipv4Parts[2] << 8) + ipv4Parts[3];
+    address = address.substring(0, ipv4Delimiter + 1) +
+      high.toString(16) + ":" + low.toString(16);
+  }
   if (address === "::") return "0000:0000:0000:0000:0000:0000:0000:0000";
   if (address.startsWith("::")) address = "0000" + address;
   if (address.endsWith("::")) address = address + "0000";
@@ -103,3 +119,153 @@ export function expandIPv6Address(address: string): string {
   const parts = address.split(":");
   return parts.map((part) => part.padStart(4, "0")).join(":");
 }
+
+type IPv4Prefix = {
+  cidr: string;
+  base: number;
+  prefix: number;
+  rfc: string;
+};
+
+// Keep CIDR and RFC metadata in the table instead of row comments so security
+// reviewers can audit each blocked range without duplicating source text.
+const nonPublicIPv4Prefixes = [
+  ipv4Prefix("0.0.0.0/8", "RFC 6890"),
+  ipv4Prefix("10.0.0.0/8", "RFC 1918"),
+  ipv4Prefix("100.64.0.0/10", "RFC 6598"),
+  ipv4Prefix("127.0.0.0/8", "RFC 1122"),
+  ipv4Prefix("169.254.0.0/16", "RFC 3927"),
+  ipv4Prefix("172.16.0.0/12", "RFC 1918"),
+  ipv4Prefix("192.0.0.0/24", "RFC 6890"),
+  ipv4Prefix("192.0.2.0/24", "RFC 5737"),
+  ipv4Prefix("192.88.99.0/24", "RFC 7526"),
+  ipv4Prefix("192.168.0.0/16", "RFC 1918"),
+  ipv4Prefix("198.18.0.0/15", "RFC 2544"),
+  ipv4Prefix("198.51.100.0/24", "RFC 5737"),
+  ipv4Prefix("203.0.113.0/24", "RFC 5737"),
+  ipv4Prefix("224.0.0.0/4", "RFC 5771"),
+  ipv4Prefix("240.0.0.0/4", "RFC 1112"),
+];
+
+type IPv6Prefix = {
+  cidr: string;
+  words: number[];
+  prefix: number;
+  rfc: string;
+};
+
+const nonPublicIPv6Prefixes = [
+  ipv6Prefix("::/16", "RFC 4291"),
+  ipv6Prefix("2001::/32", "RFC 4380"),
+  ipv6Prefix("2002::/16", "RFC 3056"),
+  ipv6Prefix("64:ff9b:1::/48", "RFC 8215"),
+  ipv6Prefix("fc00::/7", "RFC 4193"),
+  ipv6Prefix("fe80::/10", "RFC 4291"),
+  ipv6Prefix("ff00::/8", "RFC 4291"),
+];
+
+type IPv6WithIPv4Prefix = IPv6Prefix & {
+  extractIPv4: (words: number[]) => string | null;
+};
+
+// This table has one entry for now, but keeps embedded IPv4 extraction aligned
+// with the CIDR metadata above if another translation prefix needs it later.
+const ipv6WithIPv4Prefixes: IPv6WithIPv4Prefix[] = [
+  {
+    ...ipv6Prefix("64:ff9b::/96", "RFC 6052"),
+    extractIPv4: (words) => ipv4FromWords(words[6], words[7]),
+  },
+];
+
+function ipv4Prefix(cidr: string, rfc: string): IPv4Prefix {
+  const [address, prefixText] = cidr.split("/");
+  const prefix = parseInt(prefixText, 10);
+  const parts = parseIPv4Address(address);
+  if (parts == null || !Number.isInteger(prefix) || prefix < 0 || prefix > 32) {
+    throw new Error(`Invalid IPv4 prefix: ${cidr}`);
+  }
+  return { cidr, base: ipv4PartsToNumber(parts), prefix, rfc };
+}
+
+function ipv6Prefix(cidr: string, rfc: string): IPv6Prefix {
+  const [address, prefixText] = cidr.split("/");
+  const prefix = parseInt(prefixText, 10);
+  const words = parseIPv6Address(address);
+  if (
+    words == null || !Number.isInteger(prefix) || prefix < 0 || prefix > 128
+  ) {
+    throw new Error(`Invalid IPv6 prefix: ${cidr}`);
+  }
+  return { cidr, words, prefix, rfc };
+}
+
+function parseIPv4Address(address: string): number[] | null {
+  const parts = address.split(".").map((part) => {
+    if (!/^\d+$/.test(part)) return NaN;
+    return parseInt(part, 10);
+  });
+  // Keep explicit bounds checks even though the regex narrows today's parser;
+  // they make future parser changes fail closed.
+  if (
+    parts.length !== 4 ||
+    parts.some((part) => !Number.isInteger(part) || part < 0 || part > 255)
+  ) return null;
+  return parts;
+}
+
+function parseIPv6Address(address: string): number[] | null {
+  const parts = expandIPv6Address(address).split(":");
+  if (parts.length !== 8) return null;
+  const words = parts.map((part) => {
+    if (!/^[0-9a-f]{1,4}$/i.test(part)) return NaN;
+    return parseInt(part, 16);
+  });
+  // Keep explicit bounds checks even though the regex narrows today's parser;
+  // they make future parser changes fail closed.
+  if (
+    words.some((word) => !Number.isInteger(word) || word < 0 || word > 0xffff)
+  ) return null;
+  return words;
+}
+
+function ipv4PartsToNumber(parts: number[]): number {
+  return parts[0] * 2 ** 24 + parts[1] * 2 ** 16 + parts[2] * 2 ** 8 +
+    parts[3];
+}
+
+function ipv4FromWords(highWord: number, lowWord: number): string {
+  return [
+    highWord >> 8,
+    highWord & 0xff,
+    lowWord >> 8,
+    lowWord & 0xff,
+  ].join(".");
+}
+
+function matchesIPv4Prefix(
+  address: number,
+  prefixBase: number,
+  prefixLength: number,
+): boolean {
+  const blockSize = 2 ** (32 - prefixLength);
+  return Math.floor(address / blockSize) === Math.floor(prefixBase / blockSize);
+}
+
+function matchesIPv6Prefix(
+  address: number[],
+  prefixWords: number[],
+  prefixLength: number,
+): boolean {
+  let remaining = prefixLength;
+  for (let i = 0; i < 8 && remaining > 0; i++) {
+    if (remaining >= 16) {
+      if (address[i] !== prefixWords[i]) return false;
+      remaining -= 16;
+    } else {
+      const mask = (0xffff << (16 - remaining)) & 0xffff;
+      if ((address[i] & mask) !== (prefixWords[i] & mask)) return false;
+      remaining = 0;
+    }
+  }
+  return true;
+}