nyx/tests/dynamic_fixtures/python/ssrf_negative.py

"""SSRF — negative fixture.

Safe function: validates URL scheme and host against an allowlist.
Expected verdict: NotConfirmed.
"""
import urllib.request
import urllib.parse


ALLOWED_SCHEMES = {"https"}
ALLOWED_HOSTS = {"api.example.com", "data.example.com"}


def fetch_url(url):
    """Safe: validates URL before fetching."""
    try:
        parsed = urllib.parse.urlparse(url)
    except Exception:
        print("Invalid URL")
        return

    if parsed.scheme not in ALLOWED_SCHEMES:
        print(f"Scheme not allowed: {parsed.scheme}")
        return
    if parsed.hostname not in ALLOWED_HOSTS:
        print(f"Host not allowed: {parsed.hostname}")
        return

    try:
        with urllib.request.urlopen(url, timeout=3) as resp:
            print(resp.read().decode("utf-8", errors="replace"))
    except Exception as e:
        print(f"Fetch error: {e}", end="")
Dynamic (#77) 2026-06-05 10:16:30 -05:00			`"""SSRF — negative fixture.`

			`Safe function: validates URL scheme and host against an allowlist.`
			`Expected verdict: NotConfirmed.`
			`"""`
			`import urllib.request`
			`import urllib.parse`


			`ALLOWED_SCHEMES = {"https"}`
			`ALLOWED_HOSTS = {"api.example.com", "data.example.com"}`


			`def fetch_url(url):`
			`"""Safe: validates URL before fetching."""`
			`try:`
			`parsed = urllib.parse.urlparse(url)`
			`except Exception:`
			`print("Invalid URL")`
			`return`

			`if parsed.scheme not in ALLOWED_SCHEMES:`
			`print(f"Scheme not allowed: {parsed.scheme}")`
			`return`
			`if parsed.hostname not in ALLOWED_HOSTS:`
			`print(f"Host not allowed: {parsed.hostname}")`
			`return`

			`try:`
			`with urllib.request.urlopen(url, timeout=3) as resp:`
			`print(resp.read().decode("utf-8", errors="replace"))`
			`except Exception as e:`
			`print(f"Fetch error: {e}", end="")`