feat(fetch): add SSRF protection and comprehensive security test suite

## Summary
This PR adds Server-Side Request Forgery (SSRF) protection and a comprehensive
security test suite to the fetch MCP server.

## Security Features Added

### SSRF Protection
- URL scheme validation (only http/https allowed)
- Private IP range blocking (10.x, 172.16-31.x, 192.168.x, 127.x, etc.)
- IPv6 private address blocking (::1, fe80::, fc00::, etc.)
- Dangerous hostname blocking (localhost, metadata services, etc.)
- DNS resolution validation to prevent DNS rebinding
- Configurable via MCP_FETCH_ALLOW_PRIVATE_IPS env var
- Whitelist support via MCP_FETCH_ALLOWED_PRIVATE_HOSTS

### SSL Configuration
- Configurable SSL verification via MCP_FETCH_SSL_VERIFY env var
- Comprehensive SSL error handling with helpful messages

### Test Suite (71 tests)
- SSRF protection tests
- Private IP blocking tests
- Input validation tests
- URL scheme validation tests
- Integration tests
- Edge case tests

## Configuration

```bash
# Disable SSL verification for self-signed certs
export MCP_FETCH_SSL_VERIFY=false

# Allow private IPs (use with caution)
export MCP_FETCH_ALLOW_PRIVATE_IPS=true

# Whitelist specific internal hosts
export MCP_FETCH_ALLOWED_PRIVATE_HOSTS=internal.company.com,api.local
```

Author: Tomo1912

src/fetch/README.md

@@ -170,6 +170,45 @@ This can be customized by adding the argument `--user-agent=YourUserAgent` to th
 
 The server can be configured to use a proxy by using the `--proxy-url` argument.
 
+### Customization - Private Network Access
+
+By default, the server blocks requests to private IP ranges (10.x.x.x, 192.168.x.x, 127.x.x.x, etc.) to prevent SSRF attacks. If you need to access internal services, you can configure this behavior:
+
+**Allow all private IPs (use with caution):**
+
+```json
+{
+  "mcpServers": {
+    "fetch": {
+      "command": "uvx",
+      "args": ["mcp-server-fetch"],
+      "env": {
+        "MCP_FETCH_ALLOW_PRIVATE_IPS": "true"
+      }
+    }
+  }
+}
+```
+
+**Whitelist specific internal hosts:**
+
+```json
+{
+  "mcpServers": {
+    "fetch": {
+      "command": "uvx",
+      "args": ["mcp-server-fetch"],
+      "env": {
+        "MCP_FETCH_ALLOWED_PRIVATE_HOSTS": "internal.company.com,api.local"
+      }
+    }
+  }
+}
+```
+
+> [!WARNING]
+> Allowing private network access can expose internal services. Only enable this in trusted environments.
+
 ## Windows Configuration
 
 If you're experiencing timeout issues on Windows, you may need to set the `PYTHONIOENCODING` environment variable to ensure proper character encoding:

src/fetch/pyproject.toml

@@ -33,4 +33,13 @@ requires = ["hatchling"]
 build-backend = "hatchling.build"
 
 [tool.uv]
-dev-dependencies = ["pyright>=1.1.389", "ruff>=0.7.3"]
+dev-dependencies = [
+    "pyright>=1.1.389",
+    "ruff>=0.7.3",
+    "pytest>=7.0.0",
+    "pytest-asyncio>=0.21.0",
+]
+
+[tool.pytest.ini_options]
+asyncio_mode = "auto"
+testpaths = ["tests"]