From 8537a29b1cd8fb118908c621501529bb0aaf66c6 Mon Sep 17 00:00:00 2001
From: Shuchang Zheng <wintonzheng0325@gmail.com>
Date: Sun, 9 Mar 2025 16:13:33 -0700
Subject: [PATCH] support ALLOWED_HOSTS (#1905)

Co-authored-by: ellipsis-dev[bot] <65095814+ellipsis-dev[bot]@users.noreply.github.com>
---
 skyvern/config.py                    | 1 +
 skyvern/forge/sdk/core/validators.py | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/skyvern/config.py b/skyvern/config.py
index cf933101..083dcc9d 100644
--- a/skyvern/config.py
+++ b/skyvern/config.py
@@ -40,6 +40,7 @@ class Settings(BaseSettings):
     PORT: int = 8000
     ALLOWED_ORIGINS: list[str] = ["*"]
     BLOCKED_HOSTS: list[str] = ["localhost"]
+    ALLOWED_HOSTS: list[str] = []
 
     # Secret key for JWT. Please generate your own secret key in production
     SECRET_KEY: str = "PLACEHOLDER"
diff --git a/skyvern/forge/sdk/core/validators.py b/skyvern/forge/sdk/core/validators.py
index c4e687d3..2882ddb9 100644
--- a/skyvern/forge/sdk/core/validators.py
+++ b/skyvern/forge/sdk/core/validators.py
@@ -29,6 +29,8 @@ def prepend_scheme_and_validate_url(url: str) -> str:
 
 
 def is_blocked_host(host: str) -> bool:
+    if host.lower() in (h.lower() for h in settings.ALLOWED_HOSTS):
+        return False
     try:
         ip = ipaddress.ip_address(host)
         # Check if the IP is private, link-local, loopback, or reserved