i$ UdZddlZddlZddlZddlZddlmZddlmZej e Z e ddhZ e ejdejdejd ejd ejd hZejd fZe d hZejdZdadaeed<defdZddZdejejzdefdZdededefdZdedefdZdS)uLURL safety checks — blocks requests to private/internal network addresses. Prevents SSRF (Server-Side Request Forgery) where a malicious prompt or skill could trick the agent into fetching internal resources like cloud metadata endpoints (169.254.169.254), localhost services, or private network hosts. The check can be globally disabled via ``security.allow_private_urls: true`` in config.yaml for environments where DNS resolves external domains to private/benchmark-range IPs (OpenWrt routers, corporate proxies, VPNs that use 198.18.0.0/15 or 100.64.0.0/10). Even when disabled, cloud metadata hostnames (metadata.google.internal, 169.254.169.254) are **always** blocked — those are never legitimate agent targets. Limitations (documented, not fixable at pre-flight level): - DNS rebinding (TOCTOU): an attacker-controlled DNS server with TTL=0 can return a public IP for the check, then a private IP for the actual connection. Fixing this requires connection-level validation (e.g. Python's Champion library or an egress proxy like Stripe's Smokescreen). - Redirect-based bypass is mitigated by httpx event hooks that re-validate each redirect target in vision_tools, gateway platform adapters, and media cache helpers. Web tools use third-party SDKs (Firecrawl/Tavily) where redirect handling is on their servers. N)urlparse)is_truthy_valuezmetadata.google.internalz metadata.googz169.254.169.254z 169.254.170.2z169.254.169.253z fd00:ec2::254z100.100.100.200z169.254.0.0/16zmultimedia.nt.qq.com.cnz 100.64.0.0/10F_cached_allow_privatereturncztrtSdadatjdd}|dvr datS|dvrtS ddlm}|}|d i}t|tr-t|d d r datS|d i}t|tr-t|d d r datSn#t$rYnwxYwtS) acReturn True when the user has opted out of private-IP blocking. Checks (in priority order): 1. ``HERMES_ALLOW_PRIVATE_URLS`` env var (``true``/``1``/``yes``) 2. ``security.allow_private_urls`` in config.yaml 3. ``browser.allow_private_urls`` in config.yaml (legacy / backward compat) Result is cached for the process lifetime. TFHERMES_ALLOW_PRIVATE_URLS)true1yes)false0nor)read_raw_configsecurityallow_private_urls)defaultbrowser) _allow_private_resolvedrosgetenvstriplowerhermes_cli.configrget isinstancedictr Exception)env_valrcfgsecrs 5/home/ubuntu/.hermes/hermes-agent/tools/url_safety.py_global_allow_private_urlsr#Psw%$$"!i3R88>>@@FFHHG&&& $$$&&&$$ 555555oggj"%% c4  )_ GG( ) )5& & &  )%) !( ('')R(( gt $ $ ) KK, - -u* * *  )%) !( (       ! s%A'D& AD&& D32D3cdadadS)u+Reset the cached toggle — only for tests.FN)rrr"_reset_allow_private_cacher's$!r&ipcx|js|js|js|jrdS|js|jrdS|t vrdSdS)zzis_safe_url..s'/^/^cc /^/^/^/^/^/^r&z3Blocked request to cloud metadata address: %s -> %sz5Blocked request to private/internal address: %s -> %szKAllowing private/internal resolution (security.allow_private_urls=true): %szAAllowing trusted hostname despite private/internal resolution: %sTu5Blocked request — URL safety check error for %s: %s)rr2rrrstripr3_BLOCKED_HOSTNAMESloggerwarningr#r7socket getaddrinfo AF_UNSPEC SOCK_STREAMgaierror ipaddress ip_address ValueError_ALWAYS_BLOCKED_IPSany_ALWAYS_BLOCKED_NETWORKSr1debugr) r8parsedr2r3allow_all_privateallow_private_ip addr_infofamily_sockaddrip_strexcr(s @r" is_safe_urlrXsA#O)r002288::AA#FF-%2,,..4466 5 ) ) ) NNEx P P P578886JJ *8T6;KVM_``II    NNNPX Y Y Y55   *3   %FAq!Xa[F )&11    (((C/^/^/^/^E]/^/^/^,^,^(Ifuu$ -= .QSBTBT Kfuu   LL]      LLS    t  NPSUXYYYuuuuu syA>H$H)H+C43H4*D"H!D""H8E  H EHEA H%0Hrfs#2 !!!!!!!!!!!!  8 $ $ Y  iI*++I))I*++I))I*++ !I)**&I'&%o66  #t###0!D0!0!0!0!f"""" y,y/DD     GCGGGGGG LSLTLLLLLLr&