fix: block RFC 6598 shared address space as non-public

Treat 100.64.0.0/10 as non-public in urllib.IsNonPublicIP.

This closes a gap where RFC 6598 shared address space was not
classified as non-public, which could allow outbound requests to
CGNAT addresses through code paths that rely on this helper.

internal/urllib/url.go

@@ -7,10 +7,13 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"net/netip"
 	"net/url"
 	"strings"
 )
 
+var rfc6598SharedAddressSpacePrefix = netip.MustParsePrefix("100.64.0.0/10")
+
 // IsRelativePath reports whether the link is a relative path (no scheme, host, or scheme-relative // form).
 func IsRelativePath(link string) bool {
 	if link == "" {
@@ -161,6 +164,10 @@ func IsNonPublicIP(ip net.IP) bool {
 		return true
 	}
 
+	if addr, ok := netip.AddrFromSlice(ip); ok && rfc6598SharedAddressSpacePrefix.Contains(addr.Unmap()) {
+		return true
+	}
+
 	return ip.IsPrivate() ||
 		ip.IsLoopback() ||
 		ip.IsLinkLocalUnicast() ||

internal/urllib/url_test.go

@@ -226,6 +226,7 @@ func TestIsNonPublicIP(t *testing.T) {
 	}{
 		{"nil", "", true},
 		{"private IPv4", "192.168.1.10", true},
+		{"shared address space IPv4", "100.64.0.1", true},
 		{"loopback IPv4", "127.0.0.1", true},
 		{"link-local IPv4", "169.254.42.1", true},
 		{"multicast IPv4", "224.0.0.1", true},