Class: SkillBench::Clients::BaseUrlValidator

Inherits:
Object
  • Object
show all
Defined in:
lib/skill_bench/clients/base_url_validator.rb

Overview

Validates a provider base_url before it is used to build an HTTP connection that may carry an API key / bearer token.

Security rationale: base_url is taken verbatim from config/env input and the authenticated request attaches a credential to whatever host it names. Left unchecked this is an SSRF surface, and an http:// URL would transmit the credential in cleartext. This service enforces:

  • the URL must be an absolute http/https URL with a host (empty/relative /garbage values are rejected);
  • when a credential will be attached, non-loopback hosts MUST use https; loopback hosts (localhost, 127.0.0.1, ::1) MAY use http — the legitimate self-hosted/Ollama case — and an explicit opt-in (allow_insecure_base_url) can permit cleartext for non-loopback hosts.

A blank (nil/empty) base_url is allowed so providers may supply their own (https) default downstream. Error messages describe only the transport and never include the credential.

Defined Under Namespace

Classes: InvalidBaseURLError

Constant Summary collapse

LOOPBACK_HOSTS =

Hosts permitted to use cleartext http even with a credential attached.

%w[localhost 127.0.0.1 ::1].freeze

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(base_url, has_credential, allow_insecure) ⇒ BaseUrlValidator

Returns a new instance of BaseUrlValidator.

Parameters:

  • base_url (String, nil)

    the URL to validate.

  • has_credential (Boolean)

    whether a credential will be attached.

  • allow_insecure (Boolean)

    opt-in permitting cleartext non-loopback.



50
51
52
53
54
# File 'lib/skill_bench/clients/base_url_validator.rb', line 50

def initialize(base_url, has_credential, allow_insecure)
  @base_url = base_url
  @has_credential = has_credential
  @allow_insecure = allow_insecure
end

Class Method Details

.call(base_url:, has_credential: false, allow_insecure: false) ⇒ String?

Validates a base URL and returns it unchanged when valid.

Parameters:

  • base_url (String, nil)

    the URL to validate; blank values are returned as-is so a provider default can be applied later.

  • has_credential (Boolean) (defaults to: false)

    whether a credential (api key/bearer token) will be attached to requests sent to this URL.

  • allow_insecure (Boolean) (defaults to: false)

    explicit opt-in that permits cleartext http to a non-loopback host even when a credential is attached.

Returns:

  • (String, nil)

    the validated URL (blank input returned unchanged).

Raises:



43
44
45
# File 'lib/skill_bench/clients/base_url_validator.rb', line 43

def self.call(base_url:, has_credential: false, allow_insecure: false)
  new(base_url, has_credential, allow_insecure).call
end

Instance Method Details

#callString?

Runs the validation.

Returns:

  • (String, nil)

    the validated URL.

Raises:



60
61
62
63
64
65
66
# File 'lib/skill_bench/clients/base_url_validator.rb', line 60

def call
  return @base_url if blank?(@base_url)

  validate_absolute_http_url!
  validate_secure_transport!
  @base_url
end