feat: enhance HTTP handling and configuration

- Introduced a new utility function `safe_urlopen` to ensure only allowed URL schemes (http, https) are opened, enhancing security against path traversal vulnerabilities.
- Updated the `run.py` and `calendar_ics.py` files to utilize `safe_urlopen` for HTTP requests, improving error handling and security.
- Added `HTTP_HOST` configuration to the settings, allowing dynamic binding of the HTTP server host.
- Revised the `.env.example` file to include the new `HTTP_HOST` variable with a description.
- Enhanced tests for `safe_urlopen` to validate behavior with disallowed URL schemes and ensure proper integration in existing functionality.

duty_teller/run.py

@@ -11,6 +11,7 @@ from telegram.ext import ApplicationBuilder
 from duty_teller import config
 from duty_teller.config import require_bot_token
 from duty_teller.handlers import group_duty_pin, register_handlers
+from duty_teller.utils.http_client import safe_urlopen
 
 logging.basicConfig(
     format="%(asctime)s - %(name)s - %(levelname)s - %(message)s",
@@ -39,7 +40,7 @@ def _set_default_menu_button_webapp() -> None:
         method="POST",
     )
     try:
-        with urllib.request.urlopen(req, timeout=10) as resp:
+        with safe_urlopen(req, timeout=10) as resp:
             if resp.status == 200:
                 logger.info("Default menu button set to Web App: %s", menu_url)
             else:
@@ -54,7 +55,7 @@ def _run_uvicorn(web_app, port: int) -> None:
     loop = asyncio.new_event_loop()
     asyncio.set_event_loop(loop)
     server = uvicorn.Server(
-        uvicorn.Config(web_app, host="0.0.0.0", port=port, log_level="info"),
+        uvicorn.Config(web_app, host=config.HTTP_HOST, port=port, log_level="info"),
     )
     loop.run_until_complete(server.serve())