feat: enhance HTTP handling and configuration

- Introduced a new utility function `safe_urlopen` to ensure only allowed URL schemes (http, https) are opened, enhancing security against path traversal vulnerabilities.
- Updated the `run.py` and `calendar_ics.py` files to utilize `safe_urlopen` for HTTP requests, improving error handling and security.
- Added `HTTP_HOST` configuration to the settings, allowing dynamic binding of the HTTP server host.
- Revised the `.env.example` file to include the new `HTTP_HOST` variable with a description.
- Enhanced tests for `safe_urlopen` to validate behavior with disallowed URL schemes and ensure proper integration in existing functionality.

duty_teller/api/calendar_ics.py

@@ -2,11 +2,13 @@
 
 import logging
 from datetime import date, datetime, timedelta
-from urllib.request import Request, urlopen
+from urllib.request import Request
 from urllib.error import URLError
 
 from icalendar import Calendar
 
+from duty_teller.utils.http_client import safe_urlopen
+
 log = logging.getLogger(__name__)
 
 # In-memory cache: url -> (cached_at_timestamp, raw_ics_bytes)
@@ -16,11 +18,14 @@ FETCH_TIMEOUT_SECONDS = 15
 
 
 def _fetch_ics(url: str) -> bytes | None:
-    """GET url, return response body or None on error."""
+    """GET url, return response body or None on error. Only https/http schemes allowed."""
     try:
         req = Request(url, headers={"User-Agent": "DutyTeller/1.0"})
-        with urlopen(req, timeout=FETCH_TIMEOUT_SECONDS) as resp:
+        with safe_urlopen(req, timeout=FETCH_TIMEOUT_SECONDS) as resp:
             return resp.read()
+    except ValueError:
+        log.warning("ICS URL scheme not allowed (only https/http): %s", url)
+        return None
     except URLError as e:
         log.warning("Failed to fetch ICS from %s: %s", url, e)
         return None