Fix SSRF vulnerability in /verify_end_point by validating endpoint URLs (#1476)

[ACHYUTH1203]

Description

This PR enhances the security validation logic for URL handling and adds comprehensive unit tests to ensure correct behavior.

From a user perspective, this change improves the system’s ability to safely handle URLs by preventing unsafe or potentially malicious inputs (such as localhost, internal IP ranges, or restricted schemes like file://). This reduces the risk of SSRF (Server-Side Request Forgery) vulnerabilities when processing external URLs.

In addition to the validation improvements, this PR introduces isolated unit tests that verify the correctness of the URL safety logic without requiring the full application environment or heavy dependencies.

Related Issues

• Fixes SSRF Vulnerability in SuperAGI #1476

Solution and Design

The solution focuses on improving and validating the is_safe_url helper function.

Key Improvements:

• Stricter Validation: Implemented checks for:
  • Localhost addresses (127.0.0.1, localhost).
  • Private/internal IP ranges (e.g., 192.168.x.x, 10.x.x.x).
  • Restricted schemes such as file://.
• Test Isolation: Added unit tests in tests/unit_tests/helper/test_models_helper_security.py.

Test Plan

The following test cases were added and validated:

Test Case	Input	Expected Result
Valid URL	https://example.com	True
Localhost	http://127.0.0.1	False
Internal IP	http://192.168.1.1	False
Restricted Scheme	file:///etc/passwd	False

Execution steps:
Run the test module using the Python module flag to ensure correct environment mapping:

python -m pytest tests/unit_tests/helper/test_models_helper_security.py

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• Security enhancement

Checklist

• My pull request is atomic and focuses on a single change.
• I have read the contributing guide and my code conforms to the guidelines.
• I have documented my changes clearly and comprehensively.
• I have added the required tests.

[ACHYUTH1203]

Added unit tests for the SSRF protection logic in is_safe_url.

The tests cover key scenarios including valid external URLs, localhost addresses, internal/private IP ranges, and restricted schemes such as file://.

To ensure test isolation and avoid dependency issues, external modules (e.g., HuggingFace and config-related imports) are mocked. This allows the tests to run independently without requiring the full application environment.

Please let me know if any additional edge cases or test scenarios should be included.