Skip to content

angee.integrate.net

Outbound-URL safety: HTTP(S) scheme allow-list + SSRF address validation.

The single owner for "is this URL safe to call outbound." Used by the integrate webhook delivery layer (as a model field validator and a per-delivery check) and the resources remote-file fetcher. Callers that open a connection should resolve once and dial the validated address (IP-pinning) to close the resolve-then-connect gap; this module owns the allow-list and the address judgement.

ALLOWED_HTTP_SCHEMES

URL schemes accepted for outbound HTTP calls.

METADATA_IPS

Well-known cloud metadata service addresses that must never receive callbacks.

parse_http_url

python
def parse_http_url(url: str) -> SplitResult

Return a parsed HTTP(S) URL with a well-formed port and host, or raise ValidationError.

The scheme + host gate shared by the webhook delivery layer (which then pins the resolved address) and validate_public_url (which then checks every resolved address). Callers that need the public-IP check call the latter.

validate_public_url

python
def validate_public_url(value: object) -> None

Raise ValidationError unless value is an HTTP(S) URL resolving only to public IPs.

resolved_addresses

python
def resolved_addresses(hostname: str,
                       port: int | None) -> tuple[_IpAddress, ...]

Return every IP address currently resolved for hostname.

canonical_address

python
def canonical_address(address: _IpAddress) -> _IpAddress

Return address unwrapped from any IPv4-mapped IPv6 form.

ipaddress reports an IPv4-mapped IPv6 address (::ffff:169.254.169.254) as neither private nor link-local, so a metadata or private host reached in that form would slip past the judgement. Callers judge the unwrapped IPv4.

is_unsafe_address

python
def is_unsafe_address(address: _IpAddress,
                      *,
                      allow_private: bool = False) -> bool

Return whether address is forbidden for outbound calls.

Default (public) mode rejects every non-public address. allow_private=True is the operator-configured-connection policy — a self-hosted host on a private network: it permits RFC-1918 / loopback so those connections work, but still rejects the SSRF escapes that have no legitimate target either way — cloud metadata (the well-known IPs, and link-local 169.254/16 / the RFC 6598 shared range that front metadata services), multicast, and unspecified.

Released under the AGPL-3.0 License.