-
Notifications
You must be signed in to change notification settings - Fork 207
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Canonical CLA integration #14296
base: main
Are you sure you want to change the base?
Canonical CLA integration #14296
Conversation
f83626b
to
6504872
Compare
6504872
to
54b87bb
Compare
310a5b8
to
7258de1
Compare
error_response.cache_control.no_store = True | ||
return error_response | ||
else: | ||
response = flask.make_response(api_service_response.content) |
Check warning
Code scanning / CodeQL
Reflected server-side cross-site scripting Medium
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI about 2 months ago
To fix the problem, we need to ensure that the content returned from the external API is properly sanitized before being sent to the client. This can be achieved by escaping the content to prevent any malicious scripts from being executed in the user's browser.
The best way to fix this issue is to use the html.escape()
function from the html
module to escape the content before returning it to the client. This will ensure that any potentially dangerous characters are converted to their corresponding HTML-safe sequences.
-
Copy modified lines R163-R165
@@ -162,3 +162,5 @@ | ||
else: | ||
response = flask.make_response(api_service_response.content) | ||
from html import escape | ||
escaped_content = escape(api_service_response.content.decode('utf-8')) | ||
response = flask.make_response(escaped_content) | ||
response.headers["Content-Type"] = api_service_response.headers[ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We trust the API response as it's our service not a 3rd party service so this is risk doesn't apply in our case.
api_service_response = requests.request( | ||
timeout=10, | ||
method=flask.request.method, | ||
url=urlparse.urljoin(CANONICAL_CLA_API_URL, request_url), | ||
headers={ | ||
"X-Custom-Forwarded-For": client_ip, | ||
}, | ||
cookies=flask.request.cookies, | ||
data=flask.request.data, | ||
) |
Check failure
Code scanning / CodeQL
Full server-side request forgery Critical
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI about 2 months ago
To fix the problem, we need to validate the user-provided request_url
to ensure it does not lead to an SSRF vulnerability. One way to do this is to maintain a list of allowed paths or domains and check the user input against this list. If the input is not in the allowed list, we should reject the request.
- Add a list of allowed paths or domains.
- Validate the
request_url
against this list before making the HTTP request. - If the
request_url
is not valid, return an error response.
-
Copy modified lines R128-R133
@@ -127,2 +127,8 @@ | ||
request_url = base64.b64decode(encoded_request_url).decode("utf-8") | ||
|
||
# Validate the request_url against allowed paths | ||
allowed_paths = ["/allowed/path1", "/allowed/path2"] | ||
if not any(request_url.startswith(path) for path in allowed_paths): | ||
return flask.abort(400, description="Invalid request URL") | ||
|
||
client_ip = flask.request.headers.get( |
Done
QA
./run serve
ordotrun
Issue / Card
Fixes #
Screenshots
[If relevant, please include a screenshot.]
Help
QA steps - Commit guidelines