@@ -53,10 +53,33 @@ def fetch(self, url: str) -> Tuple[Optional[bytes], Optional[str], Optional[dict
5353
5454 # Prevent localhost/internal network access (basic SSRF protection)
5555 # Note: This is a basic check; for production, consider more robust validation
56+ # Localhost is allowed for development/testing but should be restricted in production
5657 netloc_lower = parsed .netloc .lower ()
57- if netloc_lower in ("localhost" , "127.0.0.1" , "0.0.0.0" ) or netloc_lower .startswith ("127." ) or netloc_lower .startswith ("192.168." ) or netloc_lower .startswith ("10." ):
58+ # Check for private/internal IP ranges (RFC 1918)
59+ # Note: We allow localhost for development but this could be made configurable
60+ if netloc_lower in ("localhost" , "127.0.0.1" , "0.0.0.0" , "::1" ) or \
61+ netloc_lower .startswith ("127." ) or \
62+ netloc_lower .startswith ("192.168." ) or \
63+ netloc_lower .startswith ("10." ) or \
64+ netloc_lower .startswith ("172.16." ) or \
65+ netloc_lower .startswith ("172.17." ) or \
66+ netloc_lower .startswith ("172.18." ) or \
67+ netloc_lower .startswith ("172.19." ) or \
68+ netloc_lower .startswith ("172.20." ) or \
69+ netloc_lower .startswith ("172.21." ) or \
70+ netloc_lower .startswith ("172.22." ) or \
71+ netloc_lower .startswith ("172.23." ) or \
72+ netloc_lower .startswith ("172.24." ) or \
73+ netloc_lower .startswith ("172.25." ) or \
74+ netloc_lower .startswith ("172.26." ) or \
75+ netloc_lower .startswith ("172.27." ) or \
76+ netloc_lower .startswith ("172.28." ) or \
77+ netloc_lower .startswith ("172.29." ) or \
78+ netloc_lower .startswith ("172.30." ) or \
79+ netloc_lower .startswith ("172.31." ):
5880 # Allow localhost for development/testing, but log it
59- pass # Keep for now as user may need to test localhost
81+ # In production, consider adding an environment variable to disable this
82+ pass
6083
6184 metadata = {
6285 "url" : url ,
0 commit comments