Skip to content

fix(web): run URL SSRF checks off the event loop in async paths#3691

Open
Kewe63 wants to merge 1 commit intoNousResearch:mainfrom
Kewe63:fix/async-is-safe-url
Open

fix(web): run URL SSRF checks off the event loop in async paths#3691
Kewe63 wants to merge 1 commit intoNousResearch:mainfrom
Kewe63:fix/async-is-safe-url

Conversation

@Kewe63
Copy link
Copy Markdown
Contributor

@Kewe63 Kewe63 commented Mar 29, 2026

Summary

  • Adds async_is_safe_url() in tools/url_safety.py, delegating to is_safe_url() via asyncio.to_thread() so socket.getaddrinfo does not block the asyncio event loop.
  • Switches web_extract_tool, web_crawl_tool, and vision preflight / redirect validation to use the async helper.
  • Updates tests (async mocks; Windows tilde-path tests set USERPROFILE alongside HOME).

Motivation

Sync is_safe_url() performs DNS resolution on the hot path. When invoked from async tools, that can stall the event loop and hurt latency under load.

Related

Test plan

  • pytest tests/tools/test_url_safety.py tests/tools/test_website_policy.py tests/tools/test_vision_tools.py tests/test_model_tools_async_bridge.py tests/tools/test_web_tools_tavily.py

@Kewe63
fix(web): avoid blocking event loop in async URL safety checks
d022173 
- Add async_is_safe_url() wrapping is_safe_url via asyncio.to_thread
- Use in web_extract_tool, web_crawl_tool, and vision_tools (preflight + redirect guard)
- Update tests for async mocks; fix tilde path tests on Windows (USERPROFILE)
@Kewe63 Kewe63 force-pushed the fix/async-is-safe-url branch from 8218d94 to d022173 Compare March 29, 2026 09:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Kewe63