0.54.3

changedetectionio/__init__.py

@@ -2,7 +2,7 @@
 
 # Read more https://github.com/dgtlmoon/changedetection.io/wiki
 # Semver means never use .01, or 00. Should be .1.
-__version__ = '0.54.1'
+__version__ = '0.54.3'
 
 from changedetectionio.strtobool import strtobool
 from json.decoder import JSONDecodeError

changedetectionio/languages.py

@@ -37,6 +37,7 @@ def get_timeago_locale(flask_locale):
         'no': 'nb_NO',      # Norwegian Bokmål
         'hi': 'in_HI',      # Hindi
         'cs': 'en',         # Czech not supported by timeago, fallback to English
+        'uk': 'uk',         # Ukrainian
         'en_GB': 'en',      # British English - timeago uses 'en'
         'en_US': 'en',      # American English - timeago uses 'en'
     }
@@ -67,6 +68,7 @@ LANGUAGE_DATA = {
     'tr': {'flag': 'fi fi-tr fis', 'name': 'Türkçe'},
     'ar': {'flag': 'fi fi-sa fis', 'name': 'العربية'},
     'hi': {'flag': 'fi fi-in fis', 'name': 'हिन्दी'},
+    'uk': {'flag': 'fi fi-ua fis', 'name': 'Українська'},
 }
 
 

changedetectionio/processors/base.py

@@ -1,12 +1,15 @@
+import asyncio
 import re
 import hashlib
 
 from changedetectionio.browser_steps.browser_steps import browser_steps_get_valid_steps
 from changedetectionio.content_fetchers.base import Fetcher
 from changedetectionio.strtobool import strtobool
+from changedetectionio.validate_url import is_private_hostname
 from copy import deepcopy
 from abc import abstractmethod
 import os
+from urllib.parse import urlparse
 from loguru import logger
 
 SCREENSHOT_FORMAT_JPEG = 'JPEG'
@@ -95,6 +98,23 @@ class difference_detection_processor():
             self.last_raw_content_checksum = None
 
 
+    async def validate_iana_url(self):
+        """Pre-flight SSRF check — runs DNS lookup in executor to avoid blocking the event loop.
+        Covers all fetchers (requests, playwright, puppeteer, plugins) since every fetch goes
+        through call_browser().
+        """
+        if strtobool(os.getenv('ALLOW_IANA_RESTRICTED_ADDRESSES', 'false')):
+            return
+        parsed = urlparse(self.watch.link)
+        if not parsed.hostname:
+            return
+        loop = asyncio.get_running_loop()
+        if await loop.run_in_executor(None, is_private_hostname, parsed.hostname):
+            raise Exception(
+                f"Fetch blocked: '{self.watch.link}' resolves to a private/reserved IP address. "
+                f"Set ALLOW_IANA_RESTRICTED_ADDRESSES=true to allow."
+            )
+
     async def call_browser(self, preferred_proxy_id=None):
 
         from requests.structures import CaseInsensitiveDict
@@ -108,6 +128,8 @@ class difference_detection_processor():
                     "file:// type access is denied for security reasons."
                 )
 
+        await self.validate_iana_url()
+
         # Requests, playwright, other browser via wss:// etc, fetch_extra_something
         prefer_fetch_backend = self.watch.get('fetch_backend', 'system')
 

changedetectionio/tests/test_security.py

@@ -34,6 +34,7 @@ def test_favicon(client, live_server, measure_memory_usage, datastore_path):
                                                                             favicon_base_64=SVG_BASE64
                                                                             )
 
+
     res = client.get(url_for('static_content', group='favicon', filename=uuid))
     assert res.status_code == 200
     assert len(res.data) > 10
@@ -583,13 +584,16 @@ def test_static_directory_traversal(client, live_server, measure_memory_usage, d
 
 def test_ssrf_private_ip_blocked(client, live_server, monkeypatch, measure_memory_usage, datastore_path):
     """
-    SSRF protection: IANA-reserved/private IP addresses must be blocked by default.
+    SSRF protection: IANA-reserved/private IP addresses are blocked at fetch-time, not add-time.
+
+    Watches targeting private/reserved IPs can be *added* freely; the block happens when the
+    fetcher actually tries to reach the URL (via validate_iana_url() in call_browser()).
 
     Covers:
     1. is_private_hostname() correctly classifies all reserved ranges
-    2. is_safe_valid_url() rejects private-IP URLs at add-time (env var off)
-    3. is_safe_valid_url() allows private-IP URLs when ALLOW_IANA_RESTRICTED_ADDRESSES=true
-    4. UI form rejects private-IP URLs and shows the standard error message
+    2. is_safe_valid_url() ALLOWS private-IP URLs at add-time (IANA check moved to fetch-time)
+    3. ALLOW_IANA_RESTRICTED_ADDRESSES has no effect on add-time; it only controls fetch-time
+    4. UI form accepts private-IP URLs at add-time without error
     5. Requests fetcher blocks fetch-time DNS rebinding (fresh check on every fetch)
     6. Requests fetcher blocks redirects that lead to a private IP (open-redirect bypass)
 
@@ -601,8 +605,6 @@ def test_ssrf_private_ip_blocked(client, live_server, monkeypatch, measure_memor
     from changedetectionio.validate_url import is_safe_valid_url, is_private_hostname
 
     monkeypatch.setenv('ALLOW_IANA_RESTRICTED_ADDRESSES', 'false')
-    # Clear any URL results cached while the env var was 'true'
-    is_safe_valid_url.cache_clear()
 
     # ------------------------------------------------------------------
     # 1. is_private_hostname() — unit tests across all reserved ranges
@@ -624,9 +626,10 @@ def test_ssrf_private_ip_blocked(client, live_server, monkeypatch, measure_memor
         assert not is_private_hostname(host), f"{host} should be identified as public"
 
     # ------------------------------------------------------------------
-    # 2. is_safe_valid_url() blocks private-IP URLs (env var off)
+    # 2. is_safe_valid_url() ALLOWS private-IP URLs at add-time
+    #    IANA check is no longer done here — it moved to fetch-time validate_iana_url()
     # ------------------------------------------------------------------
-    blocked_urls = [
+    private_ip_urls = [
         'http://127.0.0.1/',
         'http://10.0.0.1/',
         'http://172.16.0.1/',
@@ -637,23 +640,24 @@ def test_ssrf_private_ip_blocked(client, live_server, monkeypatch, measure_memor
         'http://[fc00::1]/',
         'http://[fe80::1]/',
     ]
-    for url in blocked_urls:
-        assert not is_safe_valid_url(url), f"{url} should be blocked by is_safe_valid_url"
+    for url in private_ip_urls:
+        assert is_safe_valid_url(url), f"{url} should be allowed by is_safe_valid_url (IANA check is at fetch-time)"
 
     # ------------------------------------------------------------------
-    # 3. ALLOW_IANA_RESTRICTED_ADDRESSES=true bypasses the block
+    # 3. ALLOW_IANA_RESTRICTED_ADDRESSES does not affect add-time validation
+    #    It only controls fetch-time blocking inside validate_iana_url()
     # ------------------------------------------------------------------
     monkeypatch.setenv('ALLOW_IANA_RESTRICTED_ADDRESSES', 'true')
-    is_safe_valid_url.cache_clear()
     assert is_safe_valid_url('http://127.0.0.1/'), \
-        "Private IP should be allowed when ALLOW_IANA_RESTRICTED_ADDRESSES=true"
+        "Private IP should be allowed at add-time regardless of ALLOW_IANA_RESTRICTED_ADDRESSES"
 
-    # Restore the block for the remaining assertions
     monkeypatch.setenv('ALLOW_IANA_RESTRICTED_ADDRESSES', 'false')
-    is_safe_valid_url.cache_clear()
+    assert is_safe_valid_url('http://127.0.0.1/'), \
+        "Private IP should be allowed at add-time regardless of ALLOW_IANA_RESTRICTED_ADDRESSES"
 
     # ------------------------------------------------------------------
-    # 4. UI form rejects private-IP URLs
+    # 4. UI form accepts private-IP URLs at add-time
+    #    The watch is created; the SSRF block fires later at fetch-time
     # ------------------------------------------------------------------
     for url in ['http://127.0.0.1/', 'http://169.254.169.254/latest/meta-data/']:
         res = client.post(
@@ -661,8 +665,8 @@ def test_ssrf_private_ip_blocked(client, live_server, monkeypatch, measure_memor
             data={'url': url, 'tags': ''},
             follow_redirects=True
         )
-        assert b'Watch protocol is not permitted or invalid URL format' in res.data, \
-            f"UI should reject {url}"
+        assert b'Watch protocol is not permitted or invalid URL format' not in res.data, \
+            f"UI should accept {url} at add-time (SSRF is blocked at fetch-time)"
 
     # ------------------------------------------------------------------
     # 5. Fetch-time DNS-rebinding check in the requests fetcher
@@ -708,3 +712,35 @@ def test_ssrf_private_ip_blocked(client, live_server, monkeypatch, measure_memor
                     request_body=None,
                     request_method='GET',
                 )
+
+
+def test_unresolvable_hostname_is_allowed(client, live_server, monkeypatch):
+    """
+    Unresolvable hostnames must NOT be blocked at add-time when ALLOW_IANA_RESTRICTED_ADDRESSES=false.
+
+    DNS failure (gaierror) at add-time does not mean the URL resolves to a private IP —
+    the domain may simply be offline or not yet live. Blocking it would be a false positive.
+    The real DNS-rebinding protection happens at fetch-time in call_browser().
+    """
+    from changedetectionio.validate_url import is_safe_valid_url
+
+    monkeypatch.setenv('ALLOW_IANA_RESTRICTED_ADDRESSES', 'false')
+
+    url = 'http://this-host-does-not-exist-xyz987.invalid/some/path'
+
+    # Should pass URL validation despite being unresolvable
+    assert is_safe_valid_url(url), \
+        "Unresolvable hostname should pass is_safe_valid_url — DNS failure is not a private-IP signal"
+
+    # Should be accepted via the UI form and appear in the watch list
+    res = client.post(
+        url_for('ui.ui_views.form_quick_watch_add'),
+        data={'url': url, 'tags': ''},
+        follow_redirects=True
+    )
+    assert b'Watch protocol is not permitted or invalid URL format' not in res.data, \
+        "UI should not reject a URL just because its hostname is unresolvable"
+
+    res = client.get(url_for('watchlist.index'))
+    assert b'this-host-does-not-exist-xyz987.invalid' in res.data, \
+        "Unresolvable hostname watch should appear in the watch overview list"

changedetectionio/translations/fr/LC_MESSAGES/messages.po

@@ -1978,7 +1978,7 @@ msgstr "Format d'heure invalide. Utilisez HH:MM."
 
 #: changedetectionio/forms.py
 msgid "Not a valid timezone name"
-msgstr "Ce n'est pas un nom de fuseau horaire valide"
+msgstr "Nom de fuseau horaire invalide"
 
 #: changedetectionio/forms.py
 msgid "not set"
@@ -2054,9 +2054,7 @@ msgstr "secondes"
 
 #: changedetectionio/forms.py
 msgid "Notification Body and Title is required when a Notification URL is used"
-msgstr ""
-"Le corps et le titre de la notification sont requis lorsqu'une URL de notification est utiliséeLe corps et le titre "
-"de la notification sont requis lorsqu'une URL de notification est utilisée"
+msgstr "Le corps et le titre de la notification sont requis lorsqu'une URL de notification est utilisée"
 
 #: changedetectionio/forms.py
 #, python-format
@@ -2185,11 +2183,11 @@ msgstr "Utilisez les paramètres globaux pour le temps entre la vérification et
 
 #: changedetectionio/forms.py
 msgid "CSS/JSONPath/JQ/XPath Filters"
-msgstr "Filtre CSS/xPath"
+msgstr "Filtre CSS/JSONPath/JQ/XPath"
 
 #: changedetectionio/forms.py
 msgid "Remove elements"
-msgstr "Sélectionner par élément"
+msgstr "Supprimer par élément"
 
 #: changedetectionio/forms.py
 msgid "Extract text"
@@ -2337,7 +2335,7 @@ msgstr "URL du proxy"
 
 #: changedetectionio/forms.py
 msgid "Proxy URLs must start with http://, https:// or socks5://"
-msgstr "Les URL proxy doivent commencer par http://, https:// ou chaussettes5://"
+msgstr "Les URL proxy doivent commencer par http://, https:// ou socks5://"
 
 #: changedetectionio/forms.py
 msgid "Browser connection URL"

changedetectionio/validate_url.py

@@ -61,7 +61,9 @@ def normalize_url_encoding(url):
 def is_private_hostname(hostname):
     """Return True if hostname resolves to an IANA-restricted (private/reserved) IP address.
 
-    Fails closed: unresolvable hostnames return True (block them).
+    Unresolvable hostnames return False (allow them) — DNS may be temporarily unavailable
+    or the domain not yet live. The actual DNS rebinding attack is mitigated by fetch-time
+    re-validation in requests.py, not by blocking unresolvable domains at add-time.
     Never cached — callers that need fresh DNS resolution (e.g. at fetch time) can call
     this directly without going through the lru_cached is_safe_valid_url().
     """
@@ -69,13 +71,15 @@ def is_private_hostname(hostname):
         for info in socket.getaddrinfo(hostname, None):
             ip = ipaddress.ip_address(info[4][0])
             if ip.is_private or ip.is_loopback or ip.is_link_local or ip.is_reserved:
+                logger.warning(f"Hostname '{hostname} - {ip} - ip.is_private = {ip.is_private}, ip.is_loopback = {ip.is_loopback}, ip.is_link_local = {ip.is_link_local}, ip.is_reserved = {ip.is_reserved}")
                 return True
-    except socket.gaierror:
-        return True
+    except socket.gaierror as e:
+        logger.warning(f"{hostname} error checking {str(e)}")
+        return False
+    logger.info(f"Hostname '{hostname}' is NOT private/IANA restricted.")
     return False
 
 
-@lru_cache(maxsize=10000)
 def is_safe_valid_url(test_url):
     from changedetectionio import strtobool
     from changedetectionio.jinja2_custom import render as jinja_render
@@ -138,12 +142,4 @@ def is_safe_valid_url(test_url):
         logger.warning(f'URL f"{test_url}" failed validation, aborting.')
         return False
 
-    # Block IANA-restricted (private/reserved) IP addresses unless explicitly allowed.
-    # This is an add-time check; fetch-time re-validation in requests.py handles DNS rebinding.
-    if not strtobool(os.getenv('ALLOW_IANA_RESTRICTED_ADDRESSES', 'false')):
-        parsed = urlparse(test_url)
-        if parsed.hostname and is_private_hostname(parsed.hostname):
-            logger.warning(f'URL "{test_url}" resolves to a private/reserved IP address, aborting.')
-            return False
-
     return True