Merge commit from fork

Fixed GHSA-96pq-hxpw-rgh8

Author: brandonkelly

CHANGELOG.md

@@ -5,6 +5,7 @@
 - The `utils/fix-field-layout-uids` command now checks for duplicate top-level field layout UUIDs. ([#18193](https://github.com/craftcms/cms/pull/18193))
 - Fixed a bug where all plugin settings were being saved to the project config, rather than just posted settings. ([craftcms/commerce#4006](https://github.com/craftcms/commerce/issues/4006))
 - Fixed a bug where custom selects could be positioned incorrectly after the window was resized. ([#18179](https://github.com/craftcms/cms/issues/18179))
+- Fixed an SSRF vulnerability. (GHSA-96pq-hxpw-rgh8)
 
 ## 4.16.17 - 2025-12-0421
 

src/gql/resolvers/mutations/Asset.php

@@ -242,12 +242,7 @@ protected function handleUpload(AssetElement $asset, array $fileInformation): bo
         } elseif (!empty($fileInformation['url'])) {
             $url = $fileInformation['url'];
 
-            // make sure the hostname is alphanumeric and not an IP address
-            $hostname = parse_url($url, PHP_URL_HOST);
-            if (
-                !filter_var($hostname, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) ||
-                filter_var($hostname, FILTER_VALIDATE_IP)
-            ) {
+            if (!$this->validateHostname($url)) {
                 throw new UserError("$url contains an invalid hostname.");
             }
 
@@ -283,6 +278,46 @@ protected function handleUpload(AssetElement $asset, array $fileInformation): bo
         return true;
     }
 
+    private function validateHostname(string $url): bool
+    {
+        // make sure the hostname is alphanumeric and not an IP address
+        $hostname = parse_url($url, PHP_URL_HOST);
+        if (
+            !filter_var($hostname, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) ||
+            filter_var($hostname, FILTER_VALIDATE_IP)
+        ) {
+            return false;
+        }
+
+        // Check against well-known cloud metadata domains/IPs
+        // h/t https://gist.github.com/BuffaloWill/fa96693af67e3a3dd3fb
+        if (in_array($hostname, [
+            'kubernetes.default',
+            'kubernetes.default.svc',
+            'kubernetes.default.svc.cluster.local',
+            'metadata',
+            'metadata.google.internal',
+            'metadata.packet.net',
+        ])) {
+            return false;
+        }
+
+        // make sure the hostname doesn’t resolve to a known cloud metadata IP
+        $ip = gethostbyname($hostname);
+
+        if (in_array($ip, [
+            '169.254.169.254',
+            '169.254.170.2',
+            '169.254.169.254',
+            '100.100.100.200',
+            '192.0.0.192',
+        ])) {
+            return false;
+        }
+
+        return true;
+    }
+
     /**
      * Create the guzzle client.
      *