Module guard 

SSRF guard for the fetch path.

fetch is reachable from the CLI and the MCP server, so a crafted URL or a prompt-injected link could otherwise be used to reach the cloud metadata endpoint (169.254.169.254), localhost, or services on the private network. This module rejects non-http(s) schemes and any URL whose host resolves to a non-public IP address, on both the initial request and every redirect hop.

Set WEBFETCH_ALLOW_PRIVATE=1 to disable the guard (for trusted internal use or tests).

Structs

BlockedUrl

An error describing why a URL was rejected by the guard.

Functions

allow_private

Whether the guard is disabled via environment opt-out.

is_blocked_ip

Returns true if ip is not safe to fetch from a public-web client: loopback, private, link-local (incl. cloud metadata), CGNAT, unspecified, multicast, broadcast, documentation/benchmark ranges, and the IPv6 equivalents (ULA, link-local, IPv4-mapped).

validate_url

Validate a URL’s scheme and resolve+classify its host. On success returns the validated socket addresses (host resolved to public IPs) so the caller can pin the connection and avoid a DNS-rebinding TOCTOU window.