From 74a716022336e95f253768e498e6bcbc75007ab4 Mon Sep 17 00:00:00 2001 From: Rip&Tear <84775494+theCyberTech@users.noreply.github.com> Date: Wed, 24 Jun 2026 19:00:57 +0800 Subject: [PATCH] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .../src/crewai_tools/security/safe_requests.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/lib/crewai-tools/src/crewai_tools/security/safe_requests.py b/lib/crewai-tools/src/crewai_tools/security/safe_requests.py index a71fe94c8..787dbb475 100644 --- a/lib/crewai-tools/src/crewai_tools/security/safe_requests.py +++ b/lib/crewai-tools/src/crewai_tools/security/safe_requests.py @@ -159,6 +159,15 @@ def safe_get(url: str, **kwargs: Any) -> requests.Response: ValueError: If the URL, a redirect target, or the connected peer is not allowed. """ + # Prevent callers from forcing a proxy path (which would validate the proxy + # peer IP rather than the destination), unless the escape hatch is enabled. + proxies = kwargs.pop("proxies", None) + if proxies and proxies != {} and not _is_escape_hatch_enabled(): + raise ValueError( + "Proxies are not allowed for safe_get. Set CREWAI_TOOLS_ALLOW_UNSAFE_PATHS=true to bypass." + ) + kwargs["proxies"] = {} + validate_url(url) with create_safe_session() as session: return session.get(url, **kwargs)