Improve localhost binding prevention

Author: repli2dev

src/Config/Config.php

@@ -3,6 +3,7 @@
 namespace Kiwicom\Loopbind\Config;
 
 use JsonSerializable;
+use Kiwicom\Loopbind\Helpers\IPHelpers;
 use function array_map;
 use function filter_var;
 use function is_array;
@@ -37,10 +38,10 @@ public function __construct(
             array_map(fn (string $host): bool => filter_var($host, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) === false ?
                 throw new \Kiwicom\Loopbind\Exceptions\InvalidHostnameException("Value `{$host}` is not valid hostname.") : true, $hostname);
 
-            array_map(fn (string $hostname): bool => $hostname === 'localhost' ?
+            array_map(fn (string $hostname): bool => IPHelpers::isForbiddenDomain($hostname) ?
                     throw new \Kiwicom\Loopbind\Exceptions\InvalidHostnameException("Hostname `{$hostname}` is forbidden by this tool.") : true, $hostname);
         }
-        if ($hostname === 'localhost') {
+        if (is_string($hostname) && IPHelpers::isForbiddenDomain($hostname)) {
             throw new \Kiwicom\Loopbind\Exceptions\InvalidHostnameException("Hostname `{$hostname}` is forbidden by this tool.");
         }
 

src/Helpers/IPHelpers.php

@@ -34,4 +34,31 @@ public static function findRandomFreeLocalIP(): string
         }
         throw new UnableToFindUnreferencedIPAddressException();
     }
+
+    /**
+     * Returns true iff the given URL is a forbidden domain
+     * @param string $url
+     * @return bool
+     */
+    public static function isForbiddenDomain(string $url): bool
+    {
+        $url = mb_strtolower($url);
+        $forbidden = [
+            'localhost',
+            'localhost4',
+            'localhost6',
+            'localhost.localdomain',
+            'localhost4.localdomain4',
+            'localhost6.localdomain6',
+            'ip6-localhost',
+            'ip6-loopback',
+            'ip6-localnet',
+            'ip6-mcastprefix',
+            'ip6-allnodes',
+            'ip6-allrouters',
+            'ip6-allhosts',
+            'broadcasthost'
+        ];
+        return in_array($url, $forbidden, true);
+    }
 }