Rodin
c349986187
PR Ready Gate / clear-labels (pull_request) Successful in 2s
CI / test (pull_request) Successful in 25s
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 41s
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 2m16s
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 2m49s
Python's ipaddress module does NOT classify 100.64.0.0/10 (RFC6598 carrier-grade NAT) as private/loopback/link_local/multicast/reserved. This means a SERVER_URL resolving to a CGN address would bypass the Python SSRF check and reach curl with ACTION_TOKEN. Add an explicit network membership check for 100.64.0.0/10 to both Python validation blocks in action.yml: - _ssrf_check.py (VCS URL pre-flight check) - _ssrf_check_install.py (binary download URL check) The Go-level IsBlockedIP already covers this range correctly (ipcheck.go); this fix closes the gap in the action.yml Python layer. Also update comments to mention RFC6598 explicitly.