prefect.utilities.urls

Functions

validate_restricted_url ^{<a href="https://github.com/PrefectHQ/prefect/blob/main/src/prefect/utilities/urls.py#L74" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a>}

validate_restricted_url(url: str) -> None

Validate that the provided URL is safe for outbound requests. This prevents attacks like SSRF (Server Side Request Forgery), where an attacker can make requests to internal services (like the GCP metadata service, localhost addresses, or in-cluster Kubernetes services).

This is a pre-flight check that validates every address the hostname resolves to via getaddrinfo. Because DNS can change between this check and the actual HTTP connection, callers that need hardened SSRF protection should also use SSRFProtectedAsyncHTTPTransport / SSRFProtectedHTTPTransport, which re-validate at connection time and connect to the pre-resolved IP to close the TOCTOU window exploited by DNS rebinding attacks.

Args:

• url: The URL to validate.

Raises:

• ValueError: If the URL is a restricted URL.

convert_class_to_name ^{<a href="https://github.com/PrefectHQ/prefect/blob/main/src/prefect/utilities/urls.py#L339" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a>}

convert_class_to_name(obj: Any) -> str

Convert CamelCase class name to dash-separated lowercase name

url_for ^{<a href="https://github.com/PrefectHQ/prefect/blob/main/src/prefect/utilities/urls.py#L348" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a>}

url_for(obj: Union['PrefectFuture[Any]', 'Block', 'Variable', 'Automation', 'Resource', 'ReceivedEvent', BaseModel, str], obj_id: Optional[Union[str, UUID]] = None, url_type: URLType = 'ui', default_base_url: Optional[str] = None, **additional_format_kwargs: Any) -> Optional[str]

Returns the URL for a Prefect object.

Pass in a supported object directly or provide an object name and ID.

Args:

• obj: A Prefect object to get the URL for, or its URL name and ID.
• obj_id: The UUID of the object.
• url_type: Whether to return the URL for the UI (default) or API.
• default_base_url: The default base URL to use if no URL is configured.
• additional_format_kwargs: Additional keyword arguments to pass to the URL format.

Returns:

• Optional[str]: The URL for the given object or None if the object is not supported.

Examples:

url_for(my_flow_run) url_for(obj=my_flow_run) url_for("flow-run", obj_id="123e4567-e89b-12d3-a456-426614174000")

Classes

SSRFProtectedAsyncHTTPTransport ^{<a href="https://github.com/PrefectHQ/prefect/blob/main/src/prefect/utilities/urls.py#L312" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a>}

An httpx.AsyncHTTPTransport that guards against DNS rebinding SSRF.

Behaves identically to httpx.AsyncHTTPTransport except that, for every request, the hostname is resolved, every resolved address is checked against the private-address blocklist, and the connection is made to the specific validated IP. This closes the TOCTOU window between a pre-flight validate_restricted_url check and the actual HTTP connection.

SSRFProtectedHTTPTransport ^{<a href="https://github.com/PrefectHQ/prefect/blob/main/src/prefect/utilities/urls.py#L329" target="_blank"><Icon icon="github" style="width: 14px; height: 14px;" /></a>}

Synchronous counterpart of SSRFProtectedAsyncHTTPTransport.