HttpClient can bypass the Tor proxy because of a substring check on "localhost"

[3z]

In HttpClientImpl.doRequest() the decision to skip the SOCKS5 (Tor) proxy is:

if (ignoreSocks5Proxy || socks5Proxy == null || baseUrl.contains("localhost")) {
    return requestWithoutProxy(...);
}

That baseUrl.contains("localhost") is a substring match on the whole URL, not a host check. So a URL like http://localhost.example.com/... (or anything with localhost in a path/query) matches and the request goes out directly, not over Tor. For a Tor-only app that's a deanonymization vector: if a base URL the client uses can be influenced to contain that substring, the request leaks the real IP. The inverse is also a minor bug — a legit http://127.0.0.1:... node does not match and gets forced through Tor.

The codebase already has the right helper — HavenoUtils.isLocalHost(uri) parses the URI and compares the host to 127.0.0.1/localhost, and it's used for the XMR node decisions. The HTTP client should use that instead:

if (ignoreSocks5Proxy || socks5Proxy == null || HavenoUtils.isLocalHost(baseUrl)) { ... }

…and treat ::1 / 127.0.0.0/8 as loopback too, and fail closed (route through Tor) if the URL can't be parsed. Small change, happy to PR.