Canonical CLA integration #14296
Canonical CLA integration #14296
Conversation
Demo
Jenkins 
demos.haus 
goulinkh
force-pushed
the
canonical-cla
branch
from
f83626b to
6504872
Compare
goulinkh
force-pushed
the
canonical-cla
branch
from
6504872 to
54b87bb
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
goulinkh
force-pushed
the
canonical-cla
branch
from
310a5b8 to
7258de1
Compare
| error_response.cache_control.no_store = True | ||
| return error_response | ||
| else: | ||
| response = flask.make_response(api_service_response.content) |
Check warning
Code scanning / CodeQL
Reflected server-side cross-site scripting Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 29 days ago
To fix the problem, we need to ensure that the content returned from the external API is properly sanitized before being sent to the client. This can be achieved by escaping the content to prevent any malicious scripts from being executed in the user's browser.
The best way to fix this issue is to use the html.escape() function from the html module to escape the content before returning it to the client. This will ensure that any potentially dangerous characters are converted to their corresponding HTML-safe sequences.
| @@ -162,3 +162,5 @@ | ||
| else: | ||
| response = flask.make_response(api_service_response.content) | ||
| from html import escape | ||
| escaped_content = escape(api_service_response.content.decode('utf-8')) | ||
| response = flask.make_response(escaped_content) | ||
| response.headers["Content-Type"] = api_service_response.headers[ |
There was a problem hiding this comment.
We trust the API response as it's our service not a 3rd party service so this is risk doesn't apply in our case.
| api_service_response = requests.request( | ||
| timeout=10, | ||
| method=flask.request.method, | ||
| url=urlparse.urljoin(CANONICAL_CLA_API_URL, request_url), | ||
| headers={ | ||
| "X-Custom-Forwarded-For": client_ip, | ||
| }, | ||
| cookies=flask.request.cookies, | ||
| data=flask.request.data, | ||
| ) |
Check failure
Code scanning / CodeQL
Full server-side request forgery Critical
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 29 days ago
To fix the problem, we need to validate the user-provided request_url to ensure it does not lead to an SSRF vulnerability. One way to do this is to maintain a list of allowed paths or domains and check the user input against this list. If the input is not in the allowed list, we should reject the request.
- Add a list of allowed paths or domains.
- Validate the
request_urlagainst this list before making the HTTP request. - If the
request_urlis not valid, return an error response.
| @@ -127,2 +127,8 @@ | ||
| request_url = base64.b64decode(encoded_request_url).decode("utf-8") | ||
|
|
||
| # Validate the request_url against allowed paths | ||
| allowed_paths = ["/allowed/path1", "/allowed/path2"] | ||
| if not any(request_url.startswith(path) for path in allowed_paths): | ||
| return flask.abort(400, description="Invalid request URL") | ||
|
|
||
| client_ip = flask.request.headers.get( |
Done
QA
./run serveordotrunIssue / Card
Fixes #
Screenshots
[If relevant, please include a screenshot.]
Help
QA steps - Commit guidelines