[pitboss] phase 02: M2 — Python end-to-end excellence with all hardening baked in

tests/dynamic_fixtures/python/ssrf_negative.py

@@ -0,0 +1,33 @@
+"""SSRF — negative fixture.
+
+Safe function: validates URL scheme and host against an allowlist.
+Expected verdict: NotConfirmed.
+"""
+import urllib.request
+import urllib.parse
+
+
+ALLOWED_SCHEMES = {"https"}
+ALLOWED_HOSTS = {"api.example.com", "data.example.com"}
+
+
+def fetch_url(url):
+    """Safe: validates URL before fetching."""
+    try:
+        parsed = urllib.parse.urlparse(url)
+    except Exception:
+        print("Invalid URL")
+        return
+
+    if parsed.scheme not in ALLOWED_SCHEMES:
+        print(f"Scheme not allowed: {parsed.scheme}")
+        return
+    if parsed.hostname not in ALLOWED_HOSTS:
+        print(f"Host not allowed: {parsed.hostname}")
+        return
+
+    try:
+        with urllib.request.urlopen(url, timeout=3) as resp:
+            print(resp.read().decode("utf-8", errors="replace"))
+    except Exception as e:
+        print(f"Fetch error: {e}", end="")