If allow list has scheme, match exactly

Author: steven10a

src/guardrails/checks/text/urls.py

@@ -325,6 +325,11 @@ def _is_url_allowed(parsed_url: ParseResult, allow_list: list[str], allow_subdom
         if allowed_ip is not None:
             if url_ip is None:
                 continue
+            # Scheme matching for IPs: if allow list entry has explicit scheme, it must match exactly
+            if has_explicit_scheme:
+                allowed_scheme = parsed_allowed.scheme.lower() if parsed_allowed.scheme else ""
+                if allowed_scheme and allowed_scheme != scheme_lower:
+                    continue
             if allowed_port is not None and allowed_port != url_port:
                 continue
             if allowed_ip == url_ip:
@@ -355,6 +360,12 @@ def _is_url_allowed(parsed_url: ParseResult, allow_list: list[str], allow_subdom
         if not host_matches:
             continue
 
+        # Scheme matching: if allow list entry has explicit scheme, it must match exactly
+        if has_explicit_scheme:
+            allowed_scheme = parsed_allowed.scheme.lower() if parsed_allowed.scheme else ""
+            if allowed_scheme and allowed_scheme != scheme_lower:
+                continue
+
         # Path matching with segment boundary respect
         if allowed_path not in ("", "/"):
             # Ensure path matching respects segment boundaries to prevent

tests/unit/checks/test_urls.py

@@ -286,3 +286,42 @@ def test_validate_url_security_allows_userinfo_when_disabled() -> None:
 
     assert parsed is not None  # noqa: S101
     assert reason == ""  # noqa: S101
+
+
+def test_is_url_allowed_enforces_scheme_when_explicitly_specified() -> None:
+    """Scheme-qualified allow list entries must match scheme exactly (security)."""
+    config = URLConfig(
+        url_allow_list=["https://bank.example.com"],
+        allow_subdomains=False,
+        allowed_schemes={"https", "http"},  # Both schemes allowed globally
+    )
+    # HTTPS should be allowed (matches the scheme in allow list)
+    https_url, _ = _validate_url_security("https://bank.example.com", config)
+    # HTTP should be BLOCKED (doesn't match the explicit https:// in allow list)
+    http_url, _ = _validate_url_security("http://bank.example.com", config)
+
+    assert https_url is not None  # noqa: S101
+    assert http_url is not None  # noqa: S101
+
+    # This is the security-critical check: scheme-qualified entries must match exactly
+    assert _is_url_allowed(https_url, config.url_allow_list, config.allow_subdomains) is True  # noqa: S101
+    assert _is_url_allowed(http_url, config.url_allow_list, config.allow_subdomains) is False  # noqa: S101
+
+
+def test_is_url_allowed_enforces_scheme_for_ips() -> None:
+    """Scheme-qualified IP addresses in allow list must match scheme exactly."""
+    config = URLConfig(
+        url_allow_list=["https://192.168.1.100"],
+        allow_subdomains=False,
+        allowed_schemes={"https", "http"},
+    )
+    # HTTPS should be allowed
+    https_ip, _ = _validate_url_security("https://192.168.1.100", config)
+    # HTTP should be BLOCKED
+    http_ip, _ = _validate_url_security("http://192.168.1.100", config)
+
+    assert https_ip is not None  # noqa: S101
+    assert http_ip is not None  # noqa: S101
+
+    assert _is_url_allowed(https_ip, config.url_allow_list, config.allow_subdomains) is True  # noqa: S101
+    assert _is_url_allowed(http_ip, config.url_allow_list, config.allow_subdomains) is False  # noqa: S101