block urls pointing to internal addresses (#1012)

2024-10-20 18:33:05 -07:00
parent b31b77707c
commit 3e40267cfa
4 changed files with 41 additions and 2 deletions
--- a/skyvern/forge/sdk/schemas/tasks.py
+++ b/skyvern/forge/sdk/schemas/tasks.py
@@ -4,9 +4,10 @@ from datetime import datetime
 from enum import StrEnum
 from typing import Any

-from pydantic import BaseModel, Field, HttpUrl
+from pydantic import BaseModel, Field, HttpUrl, field_validator

-from skyvern.exceptions import InvalidTaskStatusTransition, TaskAlreadyCanceled
+from skyvern.exceptions import BlockedHost, InvalidTaskStatusTransition, TaskAlreadyCanceled
+from skyvern.forge.sdk.core.validators import is_blocked_host


 class ProxyLocation(StrEnum):
@@ -89,6 +90,17 @@ class TaskRequest(TaskBase):
    )
    totp_verification_url: HttpUrl | None = None

+    @field_validator("url", "webhook_callback_url", "totp_verification_url")
+    @classmethod
+    def validate_urls(cls, v: HttpUrl | None) -> HttpUrl | None:
+        if not v or not v.host:
+            return None
+        host = v.host
+        blocked = is_blocked_host(host)
+        if blocked:
+            raise BlockedHost(host=host)
+        return v
+

 class TaskStatus(StrEnum):
    created = "created"