llm4s-core
API
Generated with
llm4s-core/org.llm4s/org.llm4s.core.safety/NetworkSecurity

NetworkSecurity

org.llm4s.core.safety.NetworkSecurity
object NetworkSecurity

Network security utilities for SSRF protection.

Provides IP address validation to prevent Server-Side Request Forgery (SSRF) attacks by blocking requests to internal networks, cloud metadata endpoints, and other potentially sensitive destinations.

== Protected IP Ranges ==

  • Private networks: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 (RFC 1918)
  • Loopback: 127.0.0.0/8, ::1
  • Link-local: 169.254.0.0/16, fe80::/10
  • Cloud metadata: 169.254.169.254 (AWS, GCP, Azure)
  • Multicast: 224.0.0.0/4, ff00::/8
  • Documentation/test ranges: 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24

Attributes

Example 
import org.llm4s.core.safety.NetworkSecurity
// Validate a URL before fetching
NetworkSecurity.validateUrl("https://example.com/api") // Right(())
NetworkSecurity.validateUrl("http://169.254.169.254/") // Left(NetworkError)
NetworkSecurity.validateUrl("http://192.168.1.1/admin") // Left(NetworkError)
Graph
Supertypes
class Object
trait Matchable
class Any
Self type

Members list

Value members

Concrete methods

def isBlockedHostname(hostname: String, additionalBlocked: Set[String]): Boolean

Check if a hostname should be blocked (case-insensitive).

Check if a hostname should be blocked (case-insensitive).

Value parameters

additionalBlocked

Additional hostnames to block

hostname

The hostname to check

Attributes

Returns

true if the hostname should be blocked

def isBlockedIP(ip: InetAddress): Boolean

Check if an IP address is in a private/internal range that should be blocked.

Check if an IP address is in a private/internal range that should be blocked.

Value parameters

ip

The IP address to check

Attributes

Returns

true if the IP is in a blocked range

def validateHostname(hostname: String, additionalBlockedHostnames: Set[String]): Result[Unit]

Validate a hostname for SSRF safety (without full URL parsing).

Validate a hostname for SSRF safety (without full URL parsing).

Value parameters

additionalBlockedHostnames

Additional hostnames to block

hostname

The hostname to validate

Attributes

Returns

Right(()) if safe, Left(NetworkError) if blocked

def validateIP(ipString: String): Result[Unit]

Validate an IP address string directly.

Validate an IP address string directly.

Value parameters

ipString

The IP address string to validate

Attributes

Returns

Right(()) if safe, Left(NetworkError) if blocked

def validateUrl(urlString: String, additionalBlockedHostnames: Set[String], allowedProtocols: Set[String]): Result[Unit]

Validate a URL for SSRF safety.

Validate a URL for SSRF safety.

This performs DNS resolution and checks if the resolved IP is in a blocked range. It also validates the hostname against known blocked hostnames.

Value parameters

additionalBlockedHostnames

Additional hostnames to block

allowedProtocols

Allowed URL protocols (default: http, https)

urlString

The URL to validate

Attributes

Returns

Right(()) if safe, Left(NetworkError) if blocked

Concrete fields

val CloudMetadataIP: String

Cloud metadata IP address (used by AWS, GCP, Azure).

Cloud metadata IP address (used by AWS, GCP, Azure).

Attributes

val DefaultBlockedHostnames: Set[String]

Default blocked hostnames (in addition to IP-based blocking).

Default blocked hostnames (in addition to IP-based blocking).

Attributes

Generated with