From 97c519662af44fdcdddb594297032d65c9ae171b Mon Sep 17 00:00:00 2001
From: Wang Qi <wangq8@outlook.com>
Date: Thu, 25 Jun 2026 17:17:02 +0800
Subject: [PATCH] Add env ALLOW_ANY_HOST to skip host check (#16351)

---
 common/ssrf_guard.py              | 14 ++++++++++++++
 docker/.env                       |  4 ++++
 internal/service/agent_dbcheck.go | 16 ++++++++++++++++
 3 files changed, 34 insertions(+)

diff --git a/common/ssrf_guard.py b/common/ssrf_guard.py
index 4f87b94d7b..12130bc6a2 100644
--- a/common/ssrf_guard.py
+++ b/common/ssrf_guard.py
@@ -21,6 +21,7 @@ Uses only the standard library so it can be imported from both ``api/`` and
 
 import ipaddress
 import logging
+import os
 import socket
 import threading
 from contextlib import contextmanager
@@ -91,6 +92,11 @@ def pin_dns_global(hostname: str, ip: str):
 
 
 _DEFAULT_ALLOWED_SCHEMES: frozenset[str] = frozenset({"http", "https"})
+_ALLOW_ANY_HOST_ENV = "ALLOW_ANY_HOST"
+
+
+def _allow_any_host() -> bool:
+    return os.environ.get(_ALLOW_ANY_HOST_ENV, "").strip().lower() in {"1", "true", "yes", "on"}
 
 
 def _effective_ip(
@@ -181,8 +187,16 @@ def assert_host_is_safe(host: str) -> str:
 
     Returns the first validated public IP string so the caller can pin it if needed.
     """
+    host = host.strip()
     if not host:
         raise ValueError("Host must not be empty.")
+    if _allow_any_host():
+        logger.warning(
+            "SSRF guard bypass enabled via %s; allowing host without validation: host=%r",
+            _ALLOW_ANY_HOST_ENV,
+            host,
+        )
+        return host
 
     try:
         addr_infos = socket.getaddrinfo(host, None)
diff --git a/docker/.env b/docker/.env
index cf40ab6325..41ac3ddd55 100644
--- a/docker/.env
+++ b/docker/.env
@@ -161,6 +161,10 @@ GO_ADMIN_PORT=9383
 # API_PROXY_SCHEME=hybrid # go and python hybrid deploy mode
 API_PROXY_SCHEME=python # use pure python server deployment
 
+# Development-only: set to 1 to bypass host safety checks for test_db_connection and allow private/local database hosts.
+# Do not enable in production.
+ALLOW_ANY_HOST=0
+
 # The RAGFlow Docker image to download. v0.22+ doesn't include embedding models.
 RAGFLOW_IMAGE=infiniflow/ragflow:v0.26.1
 
diff --git a/internal/service/agent_dbcheck.go b/internal/service/agent_dbcheck.go
index f0c606d51c..1a4a48cf3f 100644
--- a/internal/service/agent_dbcheck.go
+++ b/internal/service/agent_dbcheck.go
@@ -24,6 +24,7 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
+	"os"
 	"strconv"
 	"strings"
 	"time"
@@ -53,6 +54,12 @@ func AssertHostIsSafe(host string) (string, error) {
 	if host == "" {
 		return "", errors.New("Host must not be empty.")
 	}
+	if allowAnyHost() {
+		zap.L().Warn("SSRF guard bypass enabled via ALLOW_ANY_HOST; allowing host without validation",
+			zap.String("host", host),
+		)
+		return host, nil
+	}
 
 	ips, err := net.LookupIP(host)
 	if err != nil {
@@ -95,6 +102,15 @@ func AssertHostIsSafe(host string) (string, error) {
 	return resolvedIP, nil
 }
 
+func allowAnyHost() bool {
+	switch strings.ToLower(strings.TrimSpace(os.Getenv("ALLOW_ANY_HOST"))) {
+	case "1", "true", "yes", "on":
+		return true
+	default:
+		return false
+	}
+}
+
 func isPublicAddr(addr netip.Addr) bool {
 	addr = addr.Unmap()