Merge commit from fork

* fix: remediated ssrf

* fix: ran pre-commit

* feat: added verbose error handling

* feat: restructured exception handling around specific operations

---------

Co-authored-by: nkoorty <[email protected]>

Author: geckosecurity

src/_bentoml_impl/serde.py

@@ -21,6 +21,7 @@
 from _bentoml_sdk.validators import DataframeSchema
 from _bentoml_sdk.validators import TensorSchema
 from bentoml._internal.utils.uri import is_http_url
+from bentoml._internal.utils.uri import is_safe_url
 
 if t.TYPE_CHECKING:
     from starlette.requests import Request
@@ -163,7 +164,8 @@ async def parse_request(self, request: Request, cls: type[T]) -> T:
 
         body = await request.body()
         if issubclass(cls, IORootModel) and cls.multipart_fields:
-            if is_http_url(url := body.decode("utf-8", "ignore")):
+            url = body.decode("utf-8", "ignore")
+            if is_http_url(url) and is_safe_url(url):
                 async with httpx.AsyncClient() as client:
                     logger.debug("Request with URL, downloading file from %s", url)
                     resp = await client.get(url)
@@ -189,12 +191,15 @@ async def ensure_file(obj: str | UploadFile) -> UploadFile:
 
         if isinstance(obj, UploadFile):
             return obj
+
+        url = obj.strip("\"'")
+        if not is_safe_url(url):
+            raise ValueError("URL not allowed for security reasons")
+
         async with httpx.AsyncClient() as client:
-            obj = obj.strip("\"'")  # The url may be JSON encoded
-            logger.debug("Request with URL, downloading file from %s", obj)
-            resp = await client.get(obj)
+            resp = await client.get(url)
             body = io.BytesIO(await resp.aread())
-            parsed = urlparse(obj)
+            parsed = urlparse(url)
             return UploadFile(
                 body,
                 size=len(body.getvalue()),

src/bentoml/_internal/utils/uri.py

@@ -1,5 +1,7 @@
+import ipaddress
 import os
 import pathlib
+import socket
 from urllib.parse import quote
 from urllib.parse import unquote
 from urllib.parse import urlparse
@@ -50,3 +52,45 @@ def encode_path_for_uri(path: str) -> str:
 
 def is_http_url(url: str) -> bool:
     return urlparse(url).scheme in {"http", "https"}
+
+
+def is_safe_url(url: str) -> bool:
+    """Check if URL is safe for download (prevents basic SSRF)."""
+    try:
+        parsed = urlparse(url)
+    except (ValueError, TypeError):
+        return False
+    
+    if parsed.scheme not in {"http", "https"}:
+        return False
+
+    hostname = parsed.hostname
+    if not hostname:
+        return False
+
+    if hostname.lower() in {"localhost", "127.0.0.1", "::1", "169.254.169.254"}:
+        return False
+
+    try:
+        ip = ipaddress.ip_address(hostname)
+        return not (ip.is_private or ip.is_loopback or ip.is_link_local)
+    except ValueError:
+        # hostname is not an IP address, need to resolve it
+        pass
+
+    try:
+        addr_info = socket.getaddrinfo(hostname, None)
+    except socket.gaierror:
+        # DNS resolution failed
+        return False
+    
+    for info in addr_info:
+        try:
+            ip = ipaddress.ip_address(info[4][0])
+            if ip.is_private or ip.is_loopback or ip.is_link_local:
+                return False
+        except (ValueError, IndexError):
+            # Skip malformed addresses
+            continue
+    
+    return True