skyvern/utils/url_validators.py

import ipaddress
from urllib.parse import quote, urlparse, urlsplit, urlunsplit

from fastapi import status
from pydantic import HttpUrl, ValidationError

from skyvern.config import settings
from skyvern.exceptions import BlockedHost, InvalidUrl, SkyvernHTTPException


def prepend_scheme_and_validate_url(url: str) -> str:
    if not url:
        return url

    parsed_url = urlparse(url=url)
    if parsed_url.scheme and parsed_url.scheme not in ["http", "https"]:
        raise InvalidUrl(url=url)

    # if url doesn't contain any scheme, we prepend `https` to it by default
    if not parsed_url.scheme:
        url = f"https://{url}"

    try:
        HttpUrl(url)
    except ValidationError:
        raise InvalidUrl(url=url)

    return url


def is_blocked_host(host: str) -> bool:
    if host.lower() in (h.lower() for h in settings.ALLOWED_HOSTS):
        return False
    try:
        ip = ipaddress.ip_address(host)
        # Check if the IP is private, link-local, loopback, or reserved
        return ip.is_private or ip.is_link_local or ip.is_loopback or ip.is_reserved
    except ValueError:
        # If the host is not a valid IP address (e.g., it's a domain name like localhost), handle it here
        for blocked_host in settings.BLOCKED_HOSTS:
            if blocked_host == host:
                return True
        return False
    except Exception:
        return False


def validate_url(url: str) -> str | None:
    try:
        url = prepend_scheme_and_validate_url(url=url)
        v = HttpUrl(url=url)
    except Exception as e:
        raise SkyvernHTTPException(message=str(e), status_code=status.HTTP_400_BAD_REQUEST)

    if not v.host:
        return None
    host = v.host
    blocked = is_blocked_host(host)
    if blocked:
        raise BlockedHost(host=host)
    return str(v)


def encode_url(url: str) -> str:
    parts = list(urlsplit(url))
    # Encode the path while preserving "/" and "%"
    parts[2] = quote(parts[2], safe="/%")
    parts[3] = quote(parts[3], safe="=&/%")
    return urlunsplit(parts)
block urls pointing to internal addresses (#1012) 2024-10-20 18:33:05 -07:00			`import ipaddress`
Retry url encode fix (#2136) 2025-04-12 15:18:15 -07:00			`from urllib.parse import quote, urlparse, urlsplit, urlunsplit`
block urls pointing to internal addresses (#1012) 2024-10-20 18:33:05 -07:00
share validate_url function (#1371) 2024-12-11 00:57:55 -08:00			`from fastapi import status`
add observer cruise creation and completion (#1354) 2024-12-08 12:43:59 -08:00			`from pydantic import HttpUrl, ValidationError`
shu/fix task url type (#999) 2024-10-17 23:47:59 -07:00
block urls pointing to internal addresses (#1012) 2024-10-20 18:33:05 -07:00			`from skyvern.config import settings`
share validate_url function (#1371) 2024-12-11 00:57:55 -08:00			`from skyvern.exceptions import BlockedHost, InvalidUrl, SkyvernHTTPException`
shu/fix task url type (#999) 2024-10-17 23:47:59 -07:00

auto prepend scheme to url (#1335) 2024-12-06 11:56:12 +08:00			`def prepend_scheme_and_validate_url(url: str) -> str:`
			`if not url:`
			`return url`

			`parsed_url = urlparse(url=url)`
			`if parsed_url.scheme and parsed_url.scheme not in ["http", "https"]:`
			`raise InvalidUrl(url=url)`

			# if url doesn't contain any scheme, we prepend `https` to it by default
			`if not parsed_url.scheme:`
			`url = f"https://{url}"`

			`try:`
			`HttpUrl(url)`
			`except ValidationError:`
			`raise InvalidUrl(url=url)`

			`return url`


block urls pointing to internal addresses (#1012) 2024-10-20 18:33:05 -07:00			`def is_blocked_host(host: str) -> bool:`
support ALLOWED_HOSTS (#1905) Co-authored-by: ellipsis-dev[bot] <65095814+ellipsis-dev[bot]@users.noreply.github.com> 2025-03-09 16:13:33 -07:00			`if host.lower() in (h.lower() for h in settings.ALLOWED_HOSTS):`
			`return False`
block urls pointing to internal addresses (#1012) 2024-10-20 18:33:05 -07:00			`try:`
			`ip = ipaddress.ip_address(host)`
			`# Check if the IP is private, link-local, loopback, or reserved`
			`return ip.is_private or ip.is_link_local or ip.is_loopback or ip.is_reserved`
			`except ValueError:`
			`# If the host is not a valid IP address (e.g., it's a domain name like localhost), handle it here`
			`for blocked_host in settings.BLOCKED_HOSTS:`
			`if blocked_host == host:`
			`return True`
			`return False`
			`except Exception:`
			`return False`
share validate_url function (#1371) 2024-12-11 00:57:55 -08:00

			`def validate_url(url: str) -> str \| None:`
			`try:`
			`url = prepend_scheme_and_validate_url(url=url)`
			`v = HttpUrl(url=url)`
			`except Exception as e:`
			`raise SkyvernHTTPException(message=str(e), status_code=status.HTTP_400_BAD_REQUEST)`

			`if not v.host:`
			`return None`
			`host = v.host`
			`blocked = is_blocked_host(host)`
			`if blocked:`
			`raise BlockedHost(host=host)`
			`return str(v)`
Retry url encode fix (#2136) 2025-04-12 15:18:15 -07:00

			`def encode_url(url: str) -> str:`
			`parts = list(urlsplit(url))`
			`# Encode the path while preserving "/" and "%"`
			`parts[2] = quote(parts[2], safe="/%")`
fix url encoding in the param part (#2520) 2025-05-29 12:55:48 -07:00			`parts[3] = quote(parts[3], safe="=&/%")`
Retry url encode fix (#2136) 2025-04-12 15:18:15 -07:00			`return urlunsplit(parts)`