angee.integrate.net
Outbound-URL safety: HTTP(S) scheme allow-list + SSRF address validation.
The single owner for "is this URL safe to call outbound." Used by the integrate webhook delivery layer (as a model field validator and a per-delivery check) and the resources remote-file fetcher. Callers that open a connection should resolve once and dial the validated address (IP-pinning) to close the resolve-then-connect gap; this module owns the allow-list and the address judgement.
ALLOWED_HTTP_SCHEMES
URL schemes accepted for outbound HTTP calls.
METADATA_IPS
Well-known cloud metadata service addresses that must never receive callbacks.
parse_http_url
def parse_http_url(url: str) -> SplitResultReturn a parsed HTTP(S) URL with a well-formed port and host, or raise ValidationError.
The scheme + host gate shared by the webhook delivery layer (which then pins the resolved address) and validate_public_url (which then checks every resolved address). Callers that need the public-IP check call the latter.
validate_public_url
def validate_public_url(value: object) -> NoneRaise ValidationError unless value is an HTTP(S) URL resolving only to public IPs.
resolved_addresses
def resolved_addresses(hostname: str,
port: int | None) -> tuple[_IpAddress, ...]Return every IP address currently resolved for hostname.
canonical_address
def canonical_address(address: _IpAddress) -> _IpAddressReturn address unwrapped from any IPv4-mapped IPv6 form.
ipaddress reports an IPv4-mapped IPv6 address (::ffff:169.254.169.254) as neither private nor link-local, so a metadata or private host reached in that form would slip past the judgement. Callers judge the unwrapped IPv4.
is_unsafe_address
def is_unsafe_address(address: _IpAddress,
*,
allow_private: bool = False) -> boolReturn whether address is forbidden for outbound calls.
Default (public) mode rejects every non-public address. allow_private=True is the operator-configured-connection policy — a self-hosted host on a private network: it permits RFC-1918 / loopback so those connections work, but still rejects the SSRF escapes that have no legitimate target either way — cloud metadata (the well-known IPs, and link-local 169.254/16 / the RFC 6598 shared range that front metadata services), multicast, and unspecified.