fix(core): close IPv6/unspecified SSRF bypass in web viewport

[hyperb1iss]

Summary

Follow-up to #64. The web viewport SSRF guard had a bracketed-IPv6 hole
that let every IPv6 destination through, plus two narrower bypasses.

validate_web_url classified the host via Url::host_str(), which
renders IPv6 literals in bracketed form ([::1]). The subsequent
host.parse::<IpAddr>() fails on that bracket text, so
is_private_or_loopback_ip was never reached. http://[::1]/,
http://[::ffff:127.0.0.1]/ (IPv4-mapped loopback), and
http://[fc00::1]/ (unique-local) all resolved and fetched freely.

Two smaller gaps: the unspecified addresses 0.0.0.0 and [::]
connect to the local host but matched no private/loopback predicate,
and a trailing dot (localhost.) sidestepped the literal localhost
check while resolving identically.

Fix

• Match on the parsed Url::host() enum so IPv6 literals arrive as
  Host::Ipv6 and reach the IP classifier.
• Reject unspecified addresses (0.0.0.0, [::]) explicitly.
• Strip a trailing dot before the local-hostname comparison.
• Add validate_web_url tests driven by concrete attack URL strings
  ([::1], IPv4-mapped, ULA, link-local, unspecified, decimal-IP,
  localhost., bad schemes) rather than only the IP predicate.

Verification

• cargo test -p hypercolor-core --features servo --lib web_viewport
  — 13 passed (includes the two new SSRF tests)
• cargo clippy -p hypercolor-core --features servo --lib --tests — clean
• cargo check --workspace — clean
• cargo fmt --all --check — clean

🤖 Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@hyperb1iss has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 28 minutes and 7 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ecc9667a-3a56-4fa5-b3a6-01f4d5f19a4c

📥 Commits

Reviewing files that changed from the base of the PR and between 45768b1 and fb70b95.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (2)

• crates/hypercolor-core/Cargo.toml
• crates/hypercolor-core/src/effect/builtin/web_viewport.rs

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/web-viewport-ipv6-ssrf

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}