feat: SSRF protection via NEXUS_ALLOWED_HOSTS, _env_int validation warnings

2026-05-11 19:38:15 +03:00
parent 04abe44ab4
commit 6743321463
4 changed files with 33 additions and 2 deletions
--- a/guarddog_nexus/config.py
+++ b/guarddog_nexus/config.py
@@ -1,7 +1,8 @@
 """Configuration via environment variables."""

 import os
-from dataclasses import dataclass
+from dataclasses import dataclass, field
+from urllib.parse import urlparse

 from guarddog_nexus.constants import (
    DEFAULT_MAX_CONCURRENT_SCANS,
@@ -21,13 +22,28 @@ def _env_int(name: str, default: int) -> int:
    try:
        return int(val)
    except ValueError:
+        import logging
+
+        logging.getLogger("guarddog_nexus").warning(
+            "Invalid value for %s=%r, using default %d", name, val, default
+        )
        return default


+def _resolve_allowed_hosts() -> list[str]:
+    raw = os.getenv("NEXUS_ALLOWED_HOSTS")
+    if raw:
+        return [h.strip() for h in raw.split(",") if h.strip()]
+    parsed = urlparse(os.getenv("NEXUS_URL", "http://localhost:8081"))
+    host = parsed.hostname or "localhost"
+    return [host]
+
+
@dataclass
 class Config:
    # Nexus connection
    nexus_url: str = os.getenv("NEXUS_URL", "http://localhost:8081")
+    nexus_allowed_hosts: list[str] = field(default_factory=lambda: _resolve_allowed_hosts())
    nexus_download_timeout: int = _env_int("NEXUS_DOWNLOAD_TIMEOUT_SECONDS", HTTP_TIMEOUT_DOWNLOAD)
    nexus_api_timeout: int = _env_int("NEXUS_API_TIMEOUT_SECONDS", HTTP_TIMEOUT_API)