Thinking Path

• SSRF check blocks requests to private IPs unless hostname is in a hardcoded allowlist
• Only ollama, localhost, 127.0.0.1, lmstudio, lm-studio are allowed
• Users with llama.cpp, llama-swap, vLLM, TabbyAPI, or any custom hostname resolving to a private IP are blocked
• These are user-explicitly configured endpoints in custom_providers — not SSRF risks
• Fix: extract hostnames from custom_providers[].base_url and add them to the trusted set before the SSRF check

What Changed

• api/config.py: Before the SSRF check in _build_available_models_uncached(), build a _ssrf_trusted_hosts set from all custom_providers[].base_url entries. The is_known_local check now also accepts any hostname in this set. The original hardcoded allowlist is unchanged.

Why It Matters

Users running local inference servers (llama.cpp, vLLM, TabbyAPI, llama-swap) with custom hostnames get SSRF: resolved hostname to private IP errors. Their models never appear in the dropdown. After this fix, any endpoint explicitly configured in custom_providers is trusted.

Verification

• pytest tests/test_issue1105_ssrf_custom_providers.py -v — 7/7 pass
• pytest tests/test_model_resolver.py tests/test_custom_provider_display_name.py -v — 26/27 pass (1 pre-existing failure)
• Syntax check: py_compile api/config.py — OK

Security Note

This does NOT weaken SSRF protection. The trusted hostnames come exclusively from custom_providers in config.yaml — a file the server admin controls. Unknown private IPs are still blocked.

Risks / Follow-ups

• A hostname typo in custom_providers could accidentally trust a different local machine — acceptable risk since config.yaml is admin-controlled
• Complements custom_providers[].models dict ignored — only singular model field populates dropdown #1106 (custom_providers models dict) — both fixes together make local model servers fully work

Model Used

• Provider: zai
• Model: glm-5-turbo
• Tools: Hermes Agent

Closes #1105