When auditing a "fetch-a-user-URL" sink for SSRF, the strongest finding (and the strongest anti-by-design argument) is when the project HAS AUTHORED an SSRF/internal-IP guard somewhere in its own codebase but FAILS TO CALL IT on the sink you're looking at. The existence of the guard proves intent-to-block-internal -> reaching internal/metadata via the unguarded sink is a DEFECT, not the promised "fetch-a-URL" feature. This defeats the maintainer's #1 rejection ("SSRF in a fetch tool is by-design").
is_url_safe|_validate_url|IsInternetIp|private|loopback|169.254|link.?local|allowlist|deny.?list|is_internal.grep -rn <guardName>). If the SSRF sink you found is NOT among the callers -> "guard-exists-but-unwired" = high-value, by-design-defeating finding.async_file_download -> unauth metadata reach (LIVE-confirmed: real 169.254.169.254 fetch).util/network.go IsInternetIp() (correct private/loopback reject) but its ONLY caller is an unrelated util; web_fetch.go fetches the user URL with zero validation. The unwired guard IS the headline anti-by-design fact._validate_url (files.py:348, the CVE-2026-0560 fix, blocks private/loopback/link-local + 169.254.169.254) and APPLIES it in _download_image_to_temp - but the ScrapeMaster scrape-url sink (stores.py) + notebook scrape sink never call it. Disciplined sibling in the SAME repo proves the asymmetry.A heavily-CVE'd / popular target raises private-dup risk (huntr reports are embargoed/invisible until disclosed). The guard-unwired finding can be technically strong AND already privately reported. Flag the saturation-risk honestly; let the operator's independent pass + the platform's dup-detection adjudicate. Don't over-invest live-PoC compute on a popular target pre-greenlight. Related: [[feedback_cross_fork_portlag_primitive]] (the incomplete-fix-after-CVE intersection); the cycle264 live-SSRF-confirm kit (canary-with-control + status-oracle).