Nous.Tools.UrlGuard (nous v0.16.4)
View SourceSSRF protection for outbound HTTP from tools and providers.
Prevents prompt-injected agents from reaching cloud-metadata
(169.254.169.254), internal services on private networks, loopback,
and link-local ranges. By default only http:// and https:// schemes
are accepted; other schemes (file://, gopher://, ftp://, etc.)
are rejected.
Usage
case Nous.Tools.UrlGuard.validate("https://example.com/foo") do
{:ok, uri} -> proceed_with(uri)
{:error, reason} -> {:error, reason} # human-readable
endOpt-in: allowing private hosts
For local dev / Docker dev-loop you can pass allow_private_hosts: true:
Nous.Tools.UrlGuard.validate(url, allow_private_hosts: true)Do NOT enable this in production. It re-opens the SSRF channel.
Summary
Functions
Validate a URL string. Returns {:ok, %URI{}} or {:error, reason}.
Like validate/2, but also returns one validated IP address to pin the
subsequent connection to — closing the DNS-rebinding TOCTOU window where the
guard resolves one IP and the HTTP client independently resolves another.
Functions
Validate a URL string. Returns {:ok, %URI{}} or {:error, reason}.
Options
:allow_private_hosts— when true, skips the private/loopback blocklist. Defaults to false.
@spec validate_pinned( String.t(), keyword() ) :: {:ok, URI.t(), :inet.ip_address() | nil} | {:error, String.t()}
Like validate/2, but also returns one validated IP address to pin the
subsequent connection to — closing the DNS-rebinding TOCTOU window where the
guard resolves one IP and the HTTP client independently resolves another.
Returns {:ok, %URI{}, ip_tuple} (or {:ok, %URI{}, nil} when host checking
was skipped via allow_private_hosts: true). Because validation rejects the
URL if any resolved address is blocked, the returned address is always safe.