Fix ssrf validation

src/nsupdate/main/forms.py

@@ -4,6 +4,7 @@
 """
 
 import binascii
+import ipaddress
 
 from django import forms
 from django.utils.translation import gettext_lazy as _
@@ -70,10 +71,31 @@ def clean_nameserver_update_secret(self):
         except (binascii.Error, UnicodeEncodeError):
             raise forms.ValidationError(_("Enter a valid secret in base64 format."), code='invalid')
         return secret
+
+    def clean_nameserver_ip(self):
+        """
+        Validate that nameserver_ip is a valid public IP address.
+        Reject private, loopback, reserved, and link-local addresses.
+        """
+        nameserver_ip = self.cleaned_data.get('nameserver_ip')
+        if not nameserver_ip:
+            return nameserver_ip
+
+        try:
+            ip_obj = ipaddress.ip_address(nameserver_ip)
+        except ValueError:
+            raise forms.ValidationError(_("Enter a valid IP address."), code='invalid')
+
+        if ip_obj.is_private or ip_obj.is_loopback or ip_obj.is_reserved or ip_obj.is_link_local:
+            raise forms.ValidationError(("Enter a public IP address. Internal addresses are not allowed."), 
+                code='invalid'
+            )
+        return nameserver_ip
+
 
     def clean(self):
         cleaned_data = super(EditDomainForm, self).clean()
-
+        
         if self.cleaned_data['available'] and 'nameserver_ip' in cleaned_data:
             try:
                 check_domain(self.instance.name, cleaned_data['nameserver_ip'])