SECURITY: SSRF protection bypass with IPv4-mapped IPv6 addresses

As part of this commit, we've also expanded our list of private IP
ranges based on
https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
and https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml

spec/lib/final_destination/ssrf_detector_spec.rb

@@ -43,9 +43,19 @@ describe FinalDestination::SSRFDetector do
       expect(subject.ip_allowed?("9001:82f3:8873::3")).to eq(false)
     end
 
-    it "returns false for standard internal IPs" do
-      expect(subject.ip_allowed?("172.31.100.31")).to eq(false)
-      expect(subject.ip_allowed?("fd02:77fa:ffea::f")).to eq(false)
+    %w[0.0.0.0 10.0.0.0 127.0.0.0 172.31.100.31 255.255.255.255 ::1 ::].each do |internal_ip|
+      it "returns false for '#{internal_ip}'" do
+        expect(subject.ip_allowed?(internal_ip)).to eq(false)
+      end
+    end
+
+    it "returns false for private IPv4-mapped IPv6 addresses" do
+      expect(subject.ip_allowed?("::ffff:172.31.100.31")).to eq(false)
+      expect(subject.ip_allowed?("::ffff:0.0.0.0")).to eq(false)
+    end
+
+    it "returns true for public IPv4-mapped IPv6 addresses" do
+      expect(subject.ip_allowed?("::ffff:52.52.167.244")).to eq(true)
     end
   end