mirror of
https://github.com/Significant-Gravitas/AutoGPT.git
synced 2026-02-04 11:55:11 -05:00
ffc3eff7e2
We need stricter URL validation for the hostname we can request in the block code. ### Changes 🏗️ * Canonicalization: Ensures \ are converted to /, adds http:// if missing, and normalizes the input URL. * Scheme Check: Only http or https are allowed. * Hostname Validation: - Ensures a hostname exists. - Converts it to an IDNA ASCII form to prevent Unicode spoofing. - Verifies that the hostname matches a safe DNS pattern. * Trusted Origins Check: Allows certain hostnames explicitly if needed. * IP Resolution and Blocking: - Resolves the hostname to its IP addresses. - Checks against a list of private/reserved IP networks to prevent SSRF to internal services. ### Checklist 📋 #### For code changes: - [ ] I have clearly listed my changes in the PR description - [ ] I have made a test plan - [ ] I have tested my changes according to the test plan: <!-- Put your test plan here: --> - [ ] ... <details> <summary>Example test plan</summary> - [ ] Create from scratch and execute an agent with at least 3 blocks - [ ] Import an agent from file upload, and confirm it executes correctly - [ ] Upload agent to marketplace - [ ] Import an agent from marketplace and confirm it executes correctly - [ ] Edit an agent from monitor, and confirm it executes correctly </details> #### For configuration changes: - [ ] `.env.example` is updated or already compatible with my changes - [ ] `docker-compose.yml` is updated or already compatible with my changes - [ ] I have included a list of my configuration changes in the PR description (under **Changes**) <details> <summary>Examples of configuration changes</summary> - Changing ports - Adding new services that need to communicate with each other - Secrets or environment variable changes - New or infrastructure changes such as databases </details>