fix: MCPSecurityPolicy missing 0.0.0.0/8 and ::/128 CIDR blocks

[jongio]

Summary

BlockPrivateNetworks() in pkg/azdext/mcp_security.go is missing two CIDR blocks that were present in the original azd-rest SSRF protection:

• 0.0.0.0/8 — "this" network, reaches loopback on Linux/macOS
• ::/128 — IPv6 unspecified address, reaches loopback on some systems

Impact

Moderate severity, low practical risk.

The 0.0.0.0/8 gap is a known SSRF bypass technique — requests to 0.0.0.1 reach loopback on Linux/macOS, bypassing a 127.0.0.0/8-only block. However, practical exploitability is limited because:

1. Only azd-rest is affected (the only extension making outbound HTTP from user-provided URLs)
2. azd-rest runs locally as a CLI extension, not as a server
3. DefaultMCPSecurityPolicy() also enforces HTTPS, which independently blocks http://0.0.0.1 requests

The ::/128 gap is negligible — most systems map :: to ::1 which is already blocked.

Fix

PR #6907 adds both missing CIDRs and extends test coverage with IPv6 cases.

How it happened

When SSRF protection was extracted from azd-rest into the SDK (PR #6856), 2 of 9 CIDR entries were dropped from the list.

Related

• PR fix: add missing 0.0.0.0/8 and ::/128 CIDR blocks to MCPSecurityPolicy #6907 (fix)
• PR feat: Extension SDK helpers — command scaffolding, MCP utilities, and security policy #6856 (SDK extraction where the gap was introduced)
• feat: adopt azdext SDK helpers — full extension framework migration jongio/azd-rest#7 (where the gap was discovered during code review)