feat(workers): safe_fetch Python port
Mirrors lib/ingest/safe_fetch.js. Same scheme + IP-range checks and VOID_INGEST_ALLOW_PRIVATE env gate. Used by sync.source_doc and any future Python workers that fetch user-controlled URLs. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
root
27
workers/tests/test_safe_fetch.py
Normal file
27
workers/tests/test_safe_fetch.py
Normal file
@@ -0,0 +1,27 @@
|
||||
import pytest
|
||||
from void_workers.safe_fetch import safe_fetch, SafeFetchError
|
||||
|
||||
|
||||
def test_rejects_file_scheme():
|
||||
with pytest.raises(SafeFetchError):
|
||||
safe_fetch("file:///etc/passwd")
|
||||
|
||||
|
||||
def test_rejects_loopback():
|
||||
with pytest.raises(SafeFetchError):
|
||||
safe_fetch("http://127.0.0.1/x")
|
||||
|
||||
|
||||
def test_rejects_rfc1918():
|
||||
with pytest.raises(SafeFetchError):
|
||||
safe_fetch("http://192.168.1.1/x")
|
||||
|
||||
|
||||
def test_rejects_metadata_endpoint():
|
||||
with pytest.raises(SafeFetchError):
|
||||
safe_fetch("http://169.254.169.254/latest/")
|
||||
|
||||
|
||||
def test_rejects_cgnat():
|
||||
with pytest.raises(SafeFetchError):
|
||||
safe_fetch("http://100.64.0.1/x")
|
||||
Reference in New Issue
Block a user