* Check if a hostname resolves to the link-local metadata IP 169.254.169.254. * Catches hex (0xA9FEA9FE), decimal (2852039166), and octal (0251.0376.0251.0376) forms.
(hostname: string)
| 60 | * Catches hex (0xA9FEA9FE), decimal (2852039166), and octal (0251.0376.0251.0376) forms. |
| 61 | */ |
| 62 | function isMetadataIp(hostname: string): boolean { |
| 63 | // Try to parse as a numeric IP via URL constructor — it normalizes all forms |
| 64 | try { |
| 65 | const probe = new URL(`http://${hostname}`); |
| 66 | const normalized = probe.hostname; |
| 67 | if (BLOCKED_METADATA_HOSTS.has(normalized) || isBlockedIpv6(normalized)) return true; |
| 68 | // Also check after stripping trailing dot |
| 69 | if (normalized.endsWith('.') && BLOCKED_METADATA_HOSTS.has(normalized.slice(0, -1))) return true; |
| 70 | } catch { |
| 71 | // Not a valid hostname — can't be a metadata IP |
| 72 | } |
| 73 | return false; |
| 74 | } |
| 75 | |
| 76 | /** |
| 77 | * Resolve a hostname to its IP addresses and check if any resolve to blocked metadata IPs. |
no test coverage detected