Add env ALLOW_ANY_HOST to skip host check (#16351)

common/ssrf_guard.py

@@ -21,6 +21,7 @@ Uses only the standard library so it can be imported from both ``api/`` and
 
 import ipaddress
 import logging
+import os
 import socket
 import threading
 from contextlib import contextmanager
@@ -91,6 +92,11 @@ def pin_dns_global(hostname: str, ip: str):
 
 
 _DEFAULT_ALLOWED_SCHEMES: frozenset[str] = frozenset({"http", "https"})
+_ALLOW_ANY_HOST_ENV = "ALLOW_ANY_HOST"
+
+
+def _allow_any_host() -> bool:
+    return os.environ.get(_ALLOW_ANY_HOST_ENV, "").strip().lower() in {"1", "true", "yes", "on"}
 
 
 def _effective_ip(
@@ -181,8 +187,16 @@ def assert_host_is_safe(host: str) -> str:
 
     Returns the first validated public IP string so the caller can pin it if needed.
     """
+    host = host.strip()
     if not host:
         raise ValueError("Host must not be empty.")
+    if _allow_any_host():
+        logger.warning(
+            "SSRF guard bypass enabled via %s; allowing host without validation: host=%r",
+            _ALLOW_ANY_HOST_ENV,
+            host,
+        )
+        return host
 
     try:
         addr_infos = socket.getaddrinfo(host, None)