fix(core): reject bracketed IPv6 in web viewport URL validation

[hyperb1iss]

Motivation

• The Web Viewport URL validator skipped private/loopback IP checks for bracketed IPv6 host literals (e.g. http://[::1]:8080/) because Url::host_str() returns bracketed IPv6 and host.parse::<IpAddr>() fails, enabling an SSRF-style bypass; this change closes that gap.

Description

• Use a new helper host_as_ip(host: &str) -> Option<IpAddr> that strips [/] from IPv6 literals before parsing to IpAddr and wire it into validate_web_url so bracketed IPv6 and IPv4-mapped IPv6 addresses are classified correctly.
• Replace the previous host.parse::<IpAddr>() branch with host_as_ip(host) in validate_web_url to ensure the private/loopback check runs for IPv6 literals.
• Add two focused unit tests: host_as_ip_handles_bracketed_ipv6_literals and validate_web_url_rejects_bracketed_private_or_loopback_ipv6 to prevent regressions.
• No changes to the allowed schemes or hostname (localhost/.local) checks; behavior remains limited to normalizing host parsing for IP classification.

Testing

• Added unit tests in crates/hypercolor-core/src/effect/builtin/web_viewport.rs that cover bracketed IPv6 parsing and rejection by validate_web_url.
• Attempted to run cargo test -p hypercolor-core web_viewport, but the run failed in this environment due to a missing native dependency (libpipewire-0.3) required by libspa-sys, so the tests could not be executed here.
• The change is localized and the new tests should pass in a build environment with the required system libraries installed.

---

Codex Task

[coderabbitai]

Warning

Review limit reached

@hyperb1iss, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 58 minutes and 27 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7b26718c-ef2a-4845-8e96-969899a08f1e

📥 Commits

Reviewing files that changed from the base of the PR and between 6f749b6 and 1168ac5.

📒 Files selected for processing (1)

• crates/hypercolor-core/src/effect/builtin/web_viewport.rs

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/fix-ipv6-literals-bypass-in-url-validation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}