From 5003134a6d21b5ffaf7099033910dc9701b0701f Mon Sep 17 00:00:00 2001
From: Dannon Baker <dannon.baker@gmail.com>
Date: Thu, 21 Sep 2023 09:11:21 -0400
Subject: [PATCH] Backport re-checking local ip exclusion from fetching after
 connection is open

---
 lib/galaxy/files/__init__.py |  6 ++++++
 lib/galaxy/files/uris.py     | 10 ++++++++++
 2 files changed, 16 insertions(+)

diff --git a/lib/galaxy/files/__init__.py b/lib/galaxy/files/__init__.py
index f4b5c474d9fc..4b2853c111fa 100644
--- a/lib/galaxy/files/__init__.py
+++ b/lib/galaxy/files/__init__.py
@@ -218,13 +218,16 @@ class ConfiguredFileSourcesConfig:
     def __init__(
         self,
         symlink_allowlist=None,
+        fetch_url_allowlist=None,
         library_import_dir=None,
         user_library_import_dir=None,
         ftp_upload_dir=None,
         ftp_upload_purge=True,
     ):
         symlink_allowlist = symlink_allowlist or []
+        fetch_url_allowlist = fetch_url_allowlist or []
         self.symlink_allowlist = symlink_allowlist
+        self.fetch_url_allowlist = fetch_url_allowlist
         self.library_import_dir = library_import_dir
         self.user_library_import_dir = user_library_import_dir
         self.ftp_upload_dir = ftp_upload_dir
@@ -236,6 +239,7 @@ def from_app_config(config):
         # for this component.
         kwds = {}
         kwds["symlink_allowlist"] = getattr(config, "user_library_import_symlink_allowlist", [])
+        kwds["fetch_url_allowlist"] = getattr(config, "fetch_url_allowlist", [])
         kwds["library_import_dir"] = getattr(config, "library_import_dir", None)
         kwds["user_library_import_dir"] = getattr(config, "user_library_import_dir", None)
         kwds["ftp_upload_dir"] = getattr(config, "ftp_upload_dir", None)
@@ -245,6 +249,7 @@ def from_app_config(config):
     def to_dict(self):
         return {
             "symlink_allowlist": self.symlink_allowlist,
+            "fetch_url_allowlist": self.fetch_url_allowlist,
             "library_import_dir": self.library_import_dir,
             "user_library_import_dir": self.user_library_import_dir,
             "ftp_upload_dir": self.ftp_upload_dir,
@@ -255,6 +260,7 @@ def to_dict(self):
     def from_dict(as_dict):
         return ConfiguredFileSourcesConfig(
             symlink_allowlist=as_dict["symlink_allowlist"],
+            fetch_url_allowlist=as_dict["fetch_url_allowlist"],
             library_import_dir=as_dict["library_import_dir"],
             user_library_import_dir=as_dict["user_library_import_dir"],
             ftp_upload_dir=as_dict["ftp_upload_dir"],
diff --git a/lib/galaxy/files/uris.py b/lib/galaxy/files/uris.py
index ddfcbbf12be8..ae17257de987 100644
--- a/lib/galaxy/files/uris.py
+++ b/lib/galaxy/files/uris.py
@@ -62,6 +62,16 @@ def stream_url_to_file(
             temp.flush()
     else:
         page = urllib.request.urlopen(path, timeout=DEFAULT_SOCKET_TIMEOUT)  # page will be .close()ed in stream_to_file
+        # default to no exceptions
+        ip_allowlist_reverify = []
+        if file_sources:
+            try:
+                ip_allowlist_reverify = file_sources._file_sources_config.fetch_url_allowlist
+            except AttributeError:
+                # may have existing serialized config at upgrade time?
+                pass
+        # Reverify non-local with open connection here
+        validate_non_local(page.geturl(), ip_allowlist_reverify)
         temp_name = stream_to_file(
             page, prefix=prefix, source_encoding=get_charset_from_http_headers(page.headers), dir=dir
         )