fix(security): allow RFC 2544 range bypass for TUN-mode proxy / Fake-IP users

[dlkakbs]

What does this PR do?

Python 3.11 expanded ipaddress.is_private to cover all IANA special-purpose ranges, including 198.18.0.0/15 (RFC 2544 Benchmarking Test Range). This broke Hermes for users running TUN-mode proxy software (Clash, Mihomo, Sing-box, Surge) that uses this range as a Fake-IP pool.

How Fake-IP works: DNS returns a virtual 198.18.x.x address → the HTTP request goes to the TUN interface → the proxy forwards it to the real public destination. SSRF protection saw 198.18.x.x, classified it as private (correctly, per Python 3.11 semantics), and blocked it — even though no internal service was reachable at that address.

Adds HERMES_ALLOW_RFC2544=true env var to unblock the range. Secure by default: the range stays blocked unless explicitly opted in. Documents the env var in config.py alongside other settings.

Related Issue

Fixes #3777

Type of Change

• 🐛 Bug fix (non-breaking change that fixes an issue)
• ✅ Tests (adding or improving test coverage)

Changes Made

• tools/url_safety.py: add _RFC2544_BENCHMARK constant, _ALLOW_RFC2544 env var flag, early-return in _is_blocked_ip when flag is set; document Python 3.11 regression in comment
• tests/tools/test_url_safety.py: add TestRfc2544FakeIp class (4 tests: blocked by default, allowed when enabled, upper bound, RFC 1918 still blocked); extend TestIsBlockedIp parametrize to cover 198.18.x.x
• hermes_cli/config.py: document HERMES_ALLOW_RFC2544 env var with context on when/why to enable it

How to Test

1. Set HERMES_ALLOW_RFC2544=true in your env or .env
2. With TUN proxy + Fake-IP active, run browser_navigate(url="https://www.baidu.com") or any web tool — should no longer be blocked
3. Without the env var, 198.18.x.x remains blocked
4. pytest tests/tools/test_url_safety.py -q — 55 tests pass

Checklist

Code

• Commit messages follow Conventional Commits
• PR contains only changes related to this fix
• pytest tests/tools/test_url_safety.py -q passes (55/55)
• Tests added for new behaviour

Documentation & Housekeeping

• hermes_cli/config.py updated with env var documentation
• Cross-platform impact considered — N/A (pure Python, no OS-specific code)

[huohua-dev]

Tested this class of bug locally under Clash TUN / Fake-IP and confirmed the 198.18.0.0/15 false positive.

One alternative design that worked well for us was a scoped allowlist instead of a global RFC2544 bypass, e.g.:

browser:
  allow_private_urls: false
  trusted_tun_cidrs:
    - 198.18.0.0/15

Then in browser_tool.py, pass those CIDRs into is_safe_url(..., extra_allowed_cidrs=...) for:

• pre-navigation SSRF check
• post-redirect SSRF check

That keeps 192.168/16, 127/8, 169.254/16, etc. blocked while still unbreaking Browser Use / cloud browser flows under Clash TUN.

So if maintainers want the narrowest possible blast radius, browser.trusted_tun_cidrs may be worth considering versus a repo-wide RFC2544 opt-in.

[teknium1]

Superseded by #14166 (merged) — same class of users (TUN-mode proxy / Fake-IP via 198.18.0.0/15), now handled by the broader security.allow_private_urls / HERMES_ALLOW_PRIVATE_URLS toggle that covers all of RFC 2544 + CGNAT + RFC 1918 + localhost. Thanks for the original write-up on the Python 3.11 is_private behavior change — it was useful context when reviewing the broader fix.

[alt-glitch]

Superseded by #14166 which provides a broader toggle covering this use case and more. Merged.

[alt-glitch]

Superseded by #14166 which provides a broader security.allow_private_urls toggle covering this use case and more. Merged.