Module ssrf 

SSRF protection for outbound URL fetches (import_from_url).

Validates that a user-supplied URL uses an allowed scheme and resolves only to public IP addresses, blocking access to loopback, private, link-local (incl. the cloud metadata endpoint 169.254.169.254), and unique-local ranges.

Functions

is_blocked_ip

Return true if the IP must NOT be reachable from a user-controlled fetch.

validate_import_url

Validate a user-supplied import URL and return the resolved, allowed host:port authority. Rejects non-http(s) schemes and any host that resolves to a blocked address.