Files
crewAI/lib
Devin AI b4bc026c77 fix: add SSRF protection to FileUrl in crewai-files
- Add security.py module with DNS-resolving URL validation that blocks
  private/reserved IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16,
  127.0.0.0/8, 169.254.0.0/16, 0.0.0.0/32) and IPv6 equivalents
- Update FileUrl._validate_url() to use the new validate_url() function
- Disable follow_redirects in read()/aread() to prevent redirect-based SSRF
- Add CREWAI_FILES_ALLOW_UNSAFE_URLS env var escape hatch
- Add comprehensive tests for SSRF protection

Fixes #5843

Co-Authored-By: João <joao@crewai.com>
2026-05-18 00:55:14 +00:00
..