Python: Add OpenAPI server URL validation

[eavanvalkenburg]

Summary

• Add server URL validation for Python OpenAPI operation execution before outbound requests are made
• Add execution settings for trusted allowed base URLs and private-network access
• Pass operation arguments into server variable resolution and add regression coverage for substituted server hosts

Testing

• uv run pytest tests/unit/connectors/openapi_plugin/test_server_url_validator.py tests/unit/connectors/openapi_plugin/test_openapi_runner.py tests/unit/connectors/openapi_plugin/test_openapi_manager.py tests/unit/connectors/openapi_plugin/test_sk_openapi.py
• uv run pytest tests/integration/cross_language/test_cross_language.py -k openapi
• uv run ruff check ...
• uv run ruff format --check ...

[github-actions]

Python Test Coverage Report •

File	Stmts	Miss	Cover	Missing
__init__.py	4	0	100%
connectors/openapi_plugin
__init__.py	5	0	100%
openapi_function_execution_parameters.py	33	0	100%
openapi_manager.py	80	8	90%	54, 75, 103–106, 151–152
openapi_runner.py	109	0	100%
server_url_validator.py	156	21	86%	86–87, 98, 100, 102, 111, 116, 133, 162–163, 170–180
connectors/openapi_plugin/models
rest_api_operation.py	248	24	90%	101–102, 111–112, 121–122, 132, 141–142, 161–162, 171–172, 191–192, 228–229, 263, 266–269, 271, 416
TOTAL	28886	5657	80%

Python Unit Test Overview

Tests	Skipped	Failures	Errors	Time
4047	23 💤	0 ❌	0 🔥	1m 47s ⏱️

[Copilot]

Pull request overview

Adds SSRF-focused validation for OpenAPI operation request URLs in the Python connector, including configurable allowlists and private-network access controls, and wires the new policy into OpenAPI execution.

Changes:

• Introduces ServerUrlValidationOptions + validate_server_url() for scheme/allowlist/DNS-to-non-public-IP checks.
• Integrates URL validation into OpenApiRunner.run_operation() and propagates settings from OpenAPIFunctionExecutionParameters via create_functions_from_openapi().
• Expands unit/integration coverage for blocked URLs and server-variable substitution scenarios.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
python/semantic_kernel/connectors/openapi_plugin/server_url_validator.py	New URL validation implementation and policy model.
python/semantic_kernel/connectors/openapi_plugin/openapi_runner.py	Calls URL validation before outbound requests; stores validation options.
python/semantic_kernel/connectors/openapi_plugin/openapi_manager.py	Propagates validation settings into OpenApiRunner.
python/semantic_kernel/connectors/openapi_plugin/openapi_function_execution_parameters.py	Adds execution settings fields + validation for allowed base URLs; documents default SSRF protections.
python/semantic_kernel/connectors/openapi_plugin/models/rest_api_operation.py	Passes operation arguments into server URL resolution for server-variable substitution.
python/semantic_kernel/connectors/openapi_plugin/init.py	Exposes ServerUrlValidationOptions from the package.
python/tests/unit/connectors/openapi_plugin/test_server_url_validator.py	New unit tests for address categorization and validation behavior (scheme, allowlist, DNS outcomes).
python/tests/unit/connectors/openapi_plugin/test_openapi_runner.py	Updates/extends runner tests to account for validation and ensure blocking occurs pre-request.
python/tests/unit/connectors/openapi_plugin/test_openapi_manager.py	Ensures execution settings propagate into runner validation options.
python/tests/unit/connectors/openapi_plugin/test_sk_openapi.py	Adds regression coverage for invalid allowed base URL configuration.
python/tests/integration/cross_language/test_cross_language.py	Sets allowed base URL for localhost-based integration test flows.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.