Description

The proxy server does not check for link-local IPv6 addresses

In https://github.com/jgraph/drawio/blob/dev/src/main/java/com/mxgraph/online/ProxyServlet.java#L255L257, it checks for local IP addresses. It is missing the link-local IPv6 address check -

https://docs.oracle.com/javase/7/docs/api/java/net/InetAddress.html#isLinkLocalAddress()

Proof of Concept

1: Setup Wireshark
2: In your local copy of the DrawIO webapp open:

http://localhost:8080/draw/proxy?url=http%3A%2F%2F[fe80%3A%3A1]

3: The server, takes a while as it attempts to connect to [fe80::1], the default gateway (seen from Wireshark logs) - denoting that fe80:: link-local IPv6 addresses are not being filtered.