allowlist for request redirection

Author: raka-gunarto

src/huggingface_hub/file_download.py

@@ -83,6 +83,11 @@
 # Regex to check if the file etag IS a valid sha256
 REGEX_SHA256 = re.compile(r"^[0-9a-f]{64}$")
 
+# Redirect allowlist for use by relative redirect wrapper
+# Example: HF_DOWNLOAD_REDIRECT_ALLOWLIST=opendns.com
+REDIRECT_ALLOWLIST = os.environ.get("HF_DOWNLOAD_REDIRECT_ALLOWLIST", "").split(",")
+REDIRECT_ALLOWLIST = [domain for domain in REDIRECT_ALLOWLIST if len(domain) > 0]
+
 _are_symlinks_supported_in_dir: Dict[str, bool] = {}
 
 
@@ -294,7 +299,7 @@ def _request_wrapper(
         # This is useful in case of a renamed repository.
         if 300 <= response.status_code <= 399:
             parsed_target = urlparse(response.headers["Location"])
-            if parsed_target.netloc == "":
+            if parsed_target.netloc == "" or any(parsed_target.netloc.endswith(domain) for domain in REDIRECT_ALLOWLIST):
                 # This means it is a relative 'location' headers, as allowed by RFC 7231.
                 # (e.g. '/path/to/resource' instead of 'http://domain.tld/path/to/resource')
                 # We want to follow this relative redirect !