--- /root/.pruva/runs/ghsa-33xw-247w-6hmc_20260107-204845/bundle/logs/serde_vuln_1.4.2.py	2026-01-07 20:59:51.370428681 +0000
+++ /root/.pruva/runs/ghsa-33xw-247w-6hmc_20260107-204845/bundle/logs/serde_patched_1.4.30.py	2026-01-07 20:59:59.166554041 +0000
@@ -21,6 +21,7 @@
 from _bentoml_sdk.validators import DataframeSchema
 from _bentoml_sdk.validators import TensorSchema
 from bentoml._internal.utils.uri import is_http_url
+from bentoml._internal.utils.uri import make_safe_connect
 
 if t.TYPE_CHECKING:
     from starlette.requests import Request
@@ -40,6 +41,14 @@
     def total_bytes(self) -> int:
         return sum(len(d) for d in self.data)
 
+    def iter_bytes(self) -> t.Iterator[bytes]:
+        for chunk in self.data:
+            yield t.cast(bytes, chunk)
+
+    async def aiter_bytes(self) -> t.AsyncIterator[bytes]:
+        for chunk in self.data:
+            yield t.cast(bytes, chunk)
+
     @property
     def headers(self) -> t.Mapping[str, str]:
         return {"content-length": str(self.total_bytes()), **self.metadata}
@@ -163,10 +172,14 @@
 
         body = await request.body()
         if issubclass(cls, IORootModel) and cls.multipart_fields:
-            if is_http_url(url := body.decode("utf-8", "ignore")):
+            url = body.decode("utf-8", "ignore")
+            if is_http_url(url):
                 async with httpx.AsyncClient() as client:
                     logger.debug("Request with URL, downloading file from %s", url)
-                    resp = await client.get(url)
+                    with make_safe_connect():
+                        resp = await client.get(url)
+                    if not resp.is_success:
+                        raise ValueError(f"Failed to download file from {url}")
                     body = await resp.aread()
         return self.deserialize_model(Payload((body,), metadata=request.headers), cls)
 
@@ -189,12 +202,16 @@
 
         if isinstance(obj, UploadFile):
             return obj
+
+        url = obj.strip("\"'")
+
         async with httpx.AsyncClient() as client:
-            obj = obj.strip("\"'")  # The url may be JSON encoded
-            logger.debug("Request with URL, downloading file from %s", obj)
-            resp = await client.get(obj)
+            with make_safe_connect():
+                resp = await client.get(url)
+            if not resp.is_success:
+                raise ValueError(f"Failed to download file from {url}")
             body = io.BytesIO(await resp.aread())
-            parsed = urlparse(obj)
+            parsed = urlparse(url)
             return UploadFile(
                 body,
                 size=len(body.getvalue()),