From aa68b59fb1603d1b9fd8db488ec56df8d9ff266d Mon Sep 17 00:00:00 2001
From: Kharec <sandro@cazzaniga.fr>
Date: Mon, 16 Feb 2026 13:16:32 +0100
Subject: [PATCH] fix(validation): block private hosts on first DNS lookup in
 URL blocking

---
 lib/Urupam/Validation.pm | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/lib/Urupam/Validation.pm b/lib/Urupam/Validation.pm
index 270e63b..5bf58b2 100644
--- a/lib/Urupam/Validation.pm
+++ b/lib/Urupam/Validation.pm
@@ -318,9 +318,12 @@ sub is_blocked_url {
             $self->_addresses_contain_private($cached) ? 1 : 0 );
     }
 
-# Intentional: skip blocking on cold hosts to keep latency low, DNS runs in background.
-    $self->_fire_and_forget( $self->_resolve_host($host) );
-    return Mojo::Promise->resolve(0);
+    return $self->_resolve_host($host)->then(
+        sub {
+            my $addresses = shift;
+            return $self->_addresses_contain_private($addresses) ? 1 : 0;
+        }
+    );
 }
 
 sub _create_ssrf_safe_ua {