fix: SSRF IPv6 host extraction bug, add WAF edge case tests

Fix extractHost() to properly strip IPv6 brackets before net.ParseIP,
enabling detection of private IPv6 addresses (ULA fd00::/8, loopback
::1) and AWS IPv6 metadata endpoint. Also fix isInternalHost() to
strip brackets.

Add 12 SSRF edge case tests (IPv6 loopback/ULA, AWS IPv6 metadata,
mixed-case hostname, short IP forms, Alibaba/GCP metadata, multiple
URLs, 172.x boundary, link-local, credential bypass external, URL with
port). Add 7 path traversal edge case tests (mixed encoding, repeated
encoded traversal, encoded dots in query, null byte + traversal,
backslash traversal, encoded backslash dots).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: ersinkoc

.project/ROADMAP.md

@@ -22,11 +22,8 @@
 
 **Priority: CRITICAL** — These affect any deployment exposed to untrusted traffic.
 
-### 1.1 WAF SSRF Detection
-- **File:** `internal/waf/detection/ssrf.go`
-- **Status:** MOSTLY DONE — IPv6 loopback/ULA, decimal/octal IP regex, cloud metadata hosts (AWS/GCP/Alibaba/AWS IPv6) already implemented. Minor edge cases may remain.
-- **Remaining:** Verify Azure/DigitalOcean metadata IPs, add additional edge case tests
-- **Effort:** 2-3 hours (reduced from 1 day)
+### ~~1.1 WAF SSRF Detection~~ (FIXED)
+- **Status:** Fixed IPv6 host extraction bug in `extractHost` (brackets prevented `net.ParseIP` from matching). Azure/DigitalOcean metadata already covered by `169.254.169.254`. Added edge case tests: IPv6 loopback, IPv6 ULA, AWS IPv6 metadata, mixed-case hostname, short IP forms, Alibaba metadata, GCP metadata, multiple URLs, 172.x boundary values, link-local, credential bypass to external, URL with port.
 
 ### ~~1.2 MCP SSE Transport CORS~~ (FALSE POSITIVE)
 - **Status:** ALREADY IMPLEMENTED — `sse_transport.go` has configurable `AllowedOrigins` list with `Vary: Origin` and `Access-Control-Allow-Credentials: true`. No wildcard CORS.
@@ -37,10 +34,8 @@
 ### ~~1.4 PROXY Protocol Trusted Upstreams~~ (FALSE POSITIVE)
 - **Status:** ALREADY IMPLEMENTED — `PROXYProtocolConfig.TrustedNetworks` CIDR list with `isTrustedSource()` method. Default: trust no one (empty list = reject all PROXY headers).
 
-### 1.5 Path Traversal Verification
-- **File:** `internal/router/match.go`
-- **Work:** Add comprehensive edge case tests for URL-encoded path traversal: `%2e%2e/%2e%2e`, `..%2f`, `%2e%2e%5c`, double encoding. Verify `normalizePath` handles all variants.
-- **Effort:** 3 hours
+### ~~1.5 Path Traversal Verification~~ (FIXED)
+- **Status:** Added edge case tests for mixed encoding (literal + encoded slash, encoded dots + literal, case-insensitive `%2E%2E%2F`), repeated encoded traversal, encoded dots in query params, null byte with traversal, backslash traversal, encoded backslash dots. All existing and new tests pass.
 
 ---
 

internal/waf/detection/pathtraversal/pathtraversal_test.go

@@ -411,3 +411,98 @@ func TestPathTraversal_FullyEncodedDots(t *testing.T) {
 		})
 	}
 }
+
+func TestPathTraversal_MixedEncoding(t *testing.T) {
+	d := New()
+	tests := []struct {
+		name string
+		path string
+		rule string
+	}{
+		{"literal + encoded slash", "/..%2f..%2fsafe", "encoded_traversal"},
+		{"encoded dots + literal", "/%2e%2e/../safe", "encoded_traversal"},
+		{"case-insensitive encoding", "/%2E%2E%2Fsafe", "encoded_traversal"},
+		{"case-insensitive dots", "/..%2F..%2Fsafe", "encoded_traversal"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctx := newCtx(tt.path, "")
+			findings := d.Detect(ctx)
+			if len(findings) == 0 {
+				t.Fatalf("expected detection for %q", tt.path)
+			}
+			found := false
+			for _, f := range findings {
+				if f.Rule == tt.rule {
+					found = true
+				}
+			}
+			if !found {
+				t.Errorf("expected rule %q for %q, got rules: %v", tt.rule, tt.path, findingsToRules(findings))
+			}
+		})
+	}
+}
+
+func TestPathTraversal_RepeatedEncodedTraversal(t *testing.T) {
+	d := New()
+	// Deep traversal with all encoded components
+	ctx := newCtx("/%2e%2e/%2e%2e/%2e%2e/safe", "")
+	findings := d.Detect(ctx)
+	if len(findings) == 0 {
+		t.Error("expected detection for repeated encoded traversal")
+	}
+}
+
+func TestPathTraversal_EncodedDotsInQuery(t *testing.T) {
+	d := New()
+	ctx := newCtx("/page", "file=%2e%2e/%2e%2e/safe")
+	findings := d.Detect(ctx)
+	if len(findings) == 0 {
+		t.Error("expected detection for encoded dots in query")
+	}
+	found := false
+	for _, f := range findings {
+		if f.Rule == "encoded_traversal" {
+			found = true
+		}
+	}
+	if !found {
+		t.Errorf("expected encoded_traversal rule in query, got: %v", findingsToRules(findings))
+	}
+}
+
+func TestPathTraversal_NullByteWithTraversal(t *testing.T) {
+	d := New()
+	ctx := newCtx("/../safe%00.jpg", "")
+	findings := d.Detect(ctx)
+	if len(findings) == 0 {
+		t.Error("expected detection for null byte with traversal")
+	}
+}
+
+func TestPathTraversal_BackslashTraversal(t *testing.T) {
+	d := New()
+	ctx := newCtx("/..\\..\\safe", "")
+	findings := d.Detect(ctx)
+	if len(findings) == 0 {
+		t.Error("expected detection for backslash traversal")
+	}
+}
+
+func TestPathTraversal_EncodedBackslashDots(t *testing.T) {
+	d := New()
+	ctx := newCtx("/%2e%2e%5c%2e%2e%5csafe", "")
+	findings := d.Detect(ctx)
+	if len(findings) == 0 {
+		t.Error("expected detection for encoded backslash traversal")
+	}
+}
+
+func findingsToRules(findings []detection.Finding) []string {
+	rules := make([]string, len(findings))
+	for i, f := range findings {
+		rules[i] = f.Rule
+	}
+	return rules
+}

internal/waf/detection/ssrf/ipcheck.go

@@ -38,17 +38,21 @@ func isPrivateIP(ip net.IP) bool {
 // isInternalHost checks if a host string resolves to an internal/private address.
 func isInternalHost(host string) bool {
 	lower := strings.ToLower(host)
-	if lower == "localhost" || lower == "127.0.0.1" || lower == "[::1]" || lower == "0.0.0.0" {
+	// Strip IPv6 brackets if present
+	lower = strings.TrimPrefix(lower, "[")
+	lower = strings.TrimSuffix(lower, "]")
+	if lower == "localhost" || lower == "127.0.0.1" || lower == "::1" || lower == "0.0.0.0" {
 		return true
 	}
-	ip := net.ParseIP(host)
+	ip := net.ParseIP(lower)
 	if ip != nil {
 		return isPrivateIP(ip)
 	}
 	return false
 }
 
 // extractHost extracts the hostname from a URL string.
+// Strips brackets from IPv6 addresses so the result is parseable by net.ParseIP.
 func extractHost(u string) string {
 	s := u
 	if idx := strings.Index(s, "://"); idx >= 0 {
@@ -57,14 +61,19 @@ func extractHost(u string) string {
 	if idx := strings.IndexByte(s, '/'); idx >= 0 {
 		s = s[:idx]
 	}
-	if idx := strings.LastIndexByte(s, ':'); idx >= 0 {
-		if !strings.Contains(s, "[") {
-			s = s[:idx]
-		}
-	}
 	if idx := strings.IndexByte(s, '@'); idx >= 0 {
 		s = s[idx+1:]
 	}
+	// Strip IPv6 brackets: [::1]:80 -> ::1
+	if strings.Contains(s, "[") {
+		s = strings.TrimPrefix(s, "[")
+		if closeIdx := strings.IndexByte(s, ']'); closeIdx >= 0 {
+			s = s[:closeIdx]
+		}
+	} else if idx := strings.LastIndexByte(s, ':'); idx >= 0 {
+		// Strip port for non-IPv6 hosts
+		s = s[:idx]
+	}
 	return s
 }
 

internal/waf/detection/ssrf/ssrf_test.go

@@ -150,7 +150,7 @@ func TestSSRFDetector_ExtractHost(t *testing.T) {
 		{"http://example.com/path", "example.com"},
 		{"https://10.0.0.1:8080/api", "10.0.0.1"},
 		{"http://user@localhost/admin", "localhost"},
-		{"http://[::1]:80/path", "[::1]:80"},
+		{"http://[::1]:80/path", "::1"},
 		{"http://hostname", "hostname"},
 	}
 	d := New()
@@ -207,6 +207,7 @@ func TestSSRFDetector_IsInternalHost(t *testing.T) {
 		{"localhost", true},
 		{"127.0.0.1", true},
 		{"[::1]", true},
+		{"::1", true},
 		{"0.0.0.0", true},
 		{"10.0.0.1", true},
 		{"192.168.1.1", true},
@@ -289,3 +290,163 @@ func TestSSRFDetector_Truncate(t *testing.T) {
 		t.Errorf("expected length 83, got %d", len(long))
 	}
 }
+
+func TestSSRFDetector_IPv6Loopback(t *testing.T) {
+	d := New()
+	ctx := newCtx("url=http://[::1]/admin")
+	findings := d.Detect(ctx)
+	if len(findings) == 0 {
+		t.Error("expected SSRF detection for IPv6 loopback [::1]")
+	}
+}
+
+func TestSSRFDetector_IPv6ULA(t *testing.T) {
+	d := New()
+	ctx := newCtx("url=http://[fd00::1]/internal")
+	findings := d.Detect(ctx)
+	if len(findings) == 0 {
+		t.Error("expected SSRF detection for IPv6 ULA fd00::1")
+	}
+}
+
+func TestSSRFDetector_AWSIPv6Metadata(t *testing.T) {
+	d := New()
+	ctx := newCtx("url=http://[fd00:ec2::254]/latest/meta-data/")
+	findings := d.Detect(ctx)
+	if len(findings) == 0 {
+		t.Error("expected SSRF detection for AWS IPv6 metadata endpoint")
+	}
+}
+
+func TestSSRFDetector_MixedCaseHostname(t *testing.T) {
+	d := New()
+	ctx := newCtx("url=http://LoCaLhOsT/admin")
+	findings := d.Detect(ctx)
+	if len(findings) == 0 {
+		t.Error("expected SSRF detection for mixed-case localhost")
+	}
+}
+
+func TestSSRFDetector_ShortIPForms(t *testing.T) {
+	d := New()
+	tests := []struct {
+		name  string
+		input string
+	}{
+		{"zero ip", "url=http://0/"},
+		{"zero zero zero zero", "url=http://0.0.0.0/"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctx := newCtx(tt.input)
+			findings := d.Detect(ctx)
+			if len(findings) == 0 {
+				t.Errorf("expected SSRF detection for %q", tt.input)
+			}
+		})
+	}
+}
+
+func TestSSRFDetector_AlibabaMetadata(t *testing.T) {
+	d := New()
+	ctx := newCtx("url=http://100.100.100.200/latest/meta-data/")
+	findings := d.Detect(ctx)
+	if len(findings) == 0 {
+		t.Error("expected SSRF detection for Alibaba Cloud metadata 100.100.100.200")
+	}
+}
+
+func TestSSRFDetector_GCPMetadata(t *testing.T) {
+	d := New()
+	tests := []struct {
+		name  string
+		input string
+	}{
+		{"google.internal", "url=http://metadata.google.internal/computeMetadata/v1/"},
+		{"metadata.google", "url=http://metadata.google/computeMetadata/v1/"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctx := newCtx(tt.input)
+			findings := d.Detect(ctx)
+			if len(findings) == 0 {
+				t.Errorf("expected SSRF detection for GCP metadata %q", tt.input)
+			}
+			found := false
+			for _, f := range findings {
+				if f.Rule == "cloud_metadata" {
+					found = true
+					if f.Score < 90 {
+						t.Errorf("expected score >= 90 for cloud metadata, got %d", f.Score)
+					}
+				}
+			}
+			if !found {
+				t.Error("expected cloud_metadata rule")
+			}
+		})
+	}
+}
+
+func TestSSRFDetector_MultipleURLs(t *testing.T) {
+	d := New()
+	ctx := newCtx("url=http://example.com/safe callback=http://127.0.0.1/secret")
+	findings := d.Detect(ctx)
+	if len(findings) == 0 {
+		t.Error("expected SSRF detection when second URL targets localhost")
+	}
+}
+
+func TestSSRFDetector_Private172Range(t *testing.T) {
+	// Test boundary values of 172.16-31 range
+	tests := []struct {
+		ip      string
+		private bool
+	}{
+		{"172.16.0.1", true},
+		{"172.20.0.1", true},
+		{"172.31.255.255", true},
+		{"172.15.255.255", false},
+		{"172.32.0.1", false},
+	}
+	for _, tt := range tests {
+		ip := net.ParseIP(tt.ip)
+		got := isPrivateIP(ip)
+		if got != tt.private {
+			t.Errorf("isPrivateIP(%q) = %v, want %v", tt.ip, got, tt.private)
+		}
+	}
+}
+
+func TestSSRFDetector_LinkLocal(t *testing.T) {
+	d := New()
+	// 169.254.x.x is link-local (used for cloud metadata)
+	ctx := newCtx("url=http://169.254.0.1/")
+	findings := d.Detect(ctx)
+	if len(findings) == 0 {
+		t.Error("expected detection for link-local IP 169.254.0.1")
+	}
+}
+
+func TestSSRFDetector_CredentialBypassExternal(t *testing.T) {
+	d := New()
+	// Credential bypass to external host should not trigger
+	ctx := newCtx("url=http://user:pass@example.com/api")
+	findings := d.Detect(ctx)
+	totalScore := 0
+	for _, f := range findings {
+		totalScore += f.Score
+	}
+	if totalScore >= 50 {
+		t.Errorf("expected no significant SSRF for credential URL to external host, got score %d", totalScore)
+	}
+}
+
+func TestSSRFDetector_URLWithPort(t *testing.T) {
+	d := New()
+	ctx := newCtx("url=http://127.0.0.1:8080/admin")
+	findings := d.Detect(ctx)
+	if len(findings) == 0 {
+		t.Error("expected SSRF detection for localhost with port")
+	}
+}