L0&jI? UdZddlZddlZddlZddlZddlZddlmZmZm Z m Z ddl m Z ej eZdedefdZedd hZeejd ejd ejd ejd ejdejdejdejdejdh ZejdejdfZedhZejdZdadaeed<defdZd#dZdej ej!zdefdZ"dedefdZ#dededefd Z$dedefd!Z%dedefd"Z&dS)$uLURL safety checks — blocks requests to private/internal network addresses. Prevents SSRF (Server-Side Request Forgery) where a malicious prompt or skill could trick the agent into fetching internal resources like cloud metadata endpoints (169.254.169.254), localhost services, or private network hosts. The check can be globally disabled via ``security.allow_private_urls: true`` in config.yaml for environments where DNS resolves external domains to private/benchmark-range IPs (OpenWrt routers, corporate proxies, VPNs that use 198.18.0.0/15 or 100.64.0.0/10). Even when disabled, cloud metadata hostnames (metadata.google.internal, 169.254.169.254) are **always** blocked — those are never legitimate agent targets. Limitations (documented, not fixable at pre-flight level): - DNS rebinding (TOCTOU): an attacker-controlled DNS server with TTL=0 can return a public IP for the check, then a private IP for the actual connection. Fixing this requires connection-level validation (e.g. Python's Champion library or an egress proxy like Stripe's Smokescreen). - Redirect-based bypass is mitigated by httpx event hooks that re-validate each redirect target in vision_tools, gateway platform adapters, and media cache helpers. Web tools use third-party SDKs (Firecrawl/Tavily) where redirect handling is on their servers. N)quoteurlparseurlsplit urlunsplit)is_truthy_valueurlreturncht|ts|S|}|s|S t|}n#t$r|cYSwxYw|jdvr|S|j}|j}|rY | d d}n#t$r|}YnwxYw||kr| ||d}t|jd}t|jd}t|jd}t#|j||||fS)uReturn an ASCII-safe HTTP URL for Hermes-owned URL tools. Browsers and HTTP clients expect URIs, but users and models often provide IRIs such as ``https://wttr.in/Köln``. Preserve URL syntax and existing percent escapes while encoding non-ASCII host/path/query/fragment text. This is intentionally for URL tool inputs only; arbitrary shell commands must not be rewritten. >httphttpsidnaasciiz/%:@!$&'()*+,;=)safez/%:@!$&'()*+,;=?) isinstancestrstripr ValueErrorschemelowernetlochostnameencodedecode UnicodeErrorreplacerpathqueryfragmentr) rrawparsedrr ascii_hostrrrs 5/home/ubuntu/.hermes/hermes-agent/tools/url_safety.pynormalize_url_for_requestr$&sf c3   ))++C  #  }$555 ]FH= "!0077@@JJ " " "!JJJ "  ! !^^Hj!<>>H v}fdE8D E EEs#A AA(B** B98B9zmetadata.google.internalz metadata.googz169.254.169.254z 169.254.170.2z169.254.169.253z fd00:ec2::254z100.100.100.200z::ffff:169.254.169.254z::ffff:169.254.170.2z::ffff:169.254.169.253z::ffff:100.100.100.200z169.254.0.0/16z::ffff:169.254.0.0/112zmultimedia.nt.qq.com.cnz 100.64.0.0/10F_cached_allow_privatecztrtSdadatjdd}|dvr datS|dvrtS ddlm}|}|d i}t|tr-t|d d r datS|d i}t|tr-t|d d r datSn#t$rYnwxYwtS) acReturn True when the user has opted out of private-IP blocking. Checks (in priority order): 1. ``HERMES_ALLOW_PRIVATE_URLS`` env var (``true``/``1``/``yes``) 2. ``security.allow_private_urls`` in config.yaml 3. ``browser.allow_private_urls`` in config.yaml (legacy / backward compat) Result is cached for the process lifetime. TFHERMES_ALLOW_PRIVATE_URLS>1yestrue>0nofalser)read_raw_configsecurityallow_private_urls)defaultbrowser) _allow_private_resolvedr%osgetenvrrhermes_cli.configr/getrdictr Exception)env_valr/cfgsecr3s r#_global_allow_private_urlsr>sw%$$"!i3R88>>@@FFHHG&&& $$$&&&$$ 555555oggj"%% c4  )_ GG( ) )5& & &  )%) !( ('')R(( gt $ $ ) KK, - -u* * *  )%) !( (       ! s%A'D& AD&& D32D3cdadadS)u+Reset the cached toggle — only for tests.FN)r4r%r#_reset_allow_private_cacherBs$!rAipc.t|tjrA|j:|j}|jp+|jp$|jp|jp|jp|j p|tvS|js|js|js|jrdS|js|j rdS|tvrdSdS)zz(is_always_blocked_url..s800!c 000000rAzDBlocked request to cloud metadata address (always-blocked floor): %src3 K|]}|vV dSrTr@)rVrWresolveds r#rXz(is_always_blocked_url..!s866$'C666666rAzJBlocked request to cloud metadata address (always-blocked floor): %s -> %sz&is_always_blocked_url error for %s: %s)rrrrrstrip_BLOCKED_HOSTNAMESloggerwarningrE ip_addressr_ALWAYS_BLOCKED_IPSany_ALWAYS_BLOCKED_NETWORKSsocket getaddrinfo AF_UNSPEC SOCK_STREAMgaierrorr:debug) rr!r addr_info_family_sockaddrip_strexcrCrZs @@r#is_always_blocked_urlros:@#O)r002288::AA#FF 5 ) ) ) NNQ   4 %h//BB   BBB  >(((C0000%=000--(1 t5 *$ 0&2DII   55 +4   &GQ1ha[F $/77    ...#6666+C66633.7  tt/u   =sCHHHuuuuu sAF5$F5>BF5 B"F5!B""A F50+DF5D/+F5.D//F5EF5 E'$F5&E''A F52F55 G&?G!!G&rrc |dko|tvS)zGReturn True when a trusted HTTPS hostname may bypass IP-class blocking.r )_TRUSTED_PRIVATE_IP_HOSTS)rrs r#_allows_private_ip_resolutionrr5s W  F-F!FFrAc t|}|jpdd}|jpd}|dvrt d|pddS|sdS|tvrt d|dSt}t||} tj |dtj tj}n1#tj$rt d |YdSwxYw|D]\}}}}} | d } t!j|  n#t$$rY2wxYw t&vs t) fd t*Drt d || dS|s0|s.t- rt d || dS|rt d|n|rt d|dS#t0$r'} t d|| Yd} ~ dSd} ~ wwxYw)uReturn True if the URL target is not a private/internal address. Resolves the hostname to an IP and checks against private ranges. Fails closed: DNS errors and unexpected exceptions block the request. When ``security.allow_private_urls`` is enabled (or the env var ``HERMES_ALLOW_PRIVATE_URLS=true``), private-IP blocking is skipped. Cloud metadata endpoints (169.254.169.254, metadata.google.internal) remain blocked regardless — they are never legitimate agent targets. r(rR>r r u.Blocked request — unsupported URL scheme: %szFz(Blocked request to internal hostname: %sNu1Blocked request — DNS resolution failed for: %src3 K|]}|vV dSrTr@rUs r#rXzis_safe_url..js'/^/^cc /^/^/^/^/^/^rAz3Blocked request to cloud metadata address: %s -> %sz5Blocked request to private/internal address: %s -> %szKAllowing private/internal resolution (security.allow_private_urls=true): %szAAllowing trusted hostname despite private/internal resolution: %sTu5Blocked request — URL safety check error for %s: %s)rrrrr[rr]r^r\r>rrrcrdrerfrgrEr_rr`rarbrPrhr:) rr!rrallow_all_privateallow_private_iprifamilyrkrlrmrnrCs @r# is_safe_urlrx:sD#O)r002288::AA#FF-%2,,..4466 * * * NNKVM`W` a a a5 5 ) ) ) NNEx P P P578886JJ *8T6;KVM_``II    NNNPX Y Y Y55   *3   %FAq!Xa[F )&11    (((C/^/^/^/^E]/^/^/^,^,^(Ifuu$ -= .QSBTBT Kfuu   LL]      LLS    t  NPSUXYYYuuuuu sBH8"H8&$H8 H8++DH8*EH8EH8E0/H80 E=:H8<E==A H80H8:rB IPv4AddressrFrProrrrxr|r@rAr#rs2 >>>>>>>>>>>>!!!!!!  8 $ $&F3&F3&F&F&F&FVY  iI*++I))I*++I))I*++I122I/00I122I122 !  I)**I122&I'&%o66  #t###0!D0!0!0!0!f""""y,y/DD,]s]t]]]]@GCGGGGGG OSOTOOOOd55555555rA