Skip to content

ssrf

ssrf

SSRF protection — block requests to private IPs and cloud metadata endpoints.

Functions

is_private_ip 

is_private_ip(ip_str: str) -> bool

Check if an IP address is private/reserved.

Source code in src/openjarvis/security/ssrf.py 
56
57
58
59
60
61
62
63
64
65
66
67
68
69
def is_private_ip(ip_str: str) -> bool:
    """Check if an IP address is private/reserved."""
    try:
        addr = ipaddress.ip_address(ip_str)
    except ValueError:
        return False
    # Normalize IPv4-mapped / IPv4-compatible IPv6 to the embedded IPv4 so
    # the IPv4 private-range CIDRs apply. Without this, e.g. ::ffff:127.0.0.1
    # bypasses the loopback / RFC1918 checks.
    if isinstance(addr, ipaddress.IPv6Address):
        embedded = _embedded_ipv4(addr)
        if embedded is not None:
            addr = embedded
    return any(addr in net for net in _BLOCKED_CIDR)

check_ssrf 

check_ssrf(url: str) -> Optional[str]

Check a URL for SSRF vulnerabilities.

Prefers the Rust backend, but falls back to the pure-Python implementation when the compiled extension is unavailable. The SSRF guard is security-critical, so it must never be silently skipped — or crash with ImportError — merely because Rust was not built.

Source code in src/openjarvis/security/ssrf.py 
72
73
74
75
76
77
78
79
80
81
82
83
84
def check_ssrf(url: str) -> Optional[str]:
    """Check a URL for SSRF vulnerabilities.

    Prefers the Rust backend, but falls back to the pure-Python
    implementation when the compiled extension is unavailable. The SSRF
    guard is security-critical, so it must never be silently skipped — or
    crash with ``ImportError`` — merely because Rust was not built.
    """
    from openjarvis._rust_bridge import RUST_AVAILABLE, get_rust_module

    if RUST_AVAILABLE:
        return get_rust_module().check_ssrf(url)
    return _check_ssrf_python(url)