Skip to content

Small Security Fixes #82

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 18, 2025
Merged

Small Security Fixes #82

merged 2 commits into from
Jun 18, 2025

Conversation

scottstraughan
Copy link
Member

Fixes issues:

github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 17, 2025
View reviewed changes
src/feeds/ProjectFeed.py
if 'github.com' in markdown_file.front_matter['external_url']:
external_url = str(markdown_file.front_matter['external_url'])

if external_url.startswith('https://github.com'):

Check failure

Code scanning / CodeQL

Incomplete URL substring sanitization High

The string
https://github.com
Loading
may be at an arbitrary position in the sanitized URL.

Copilot Autofix

AI 3 days ago

To fix the issue, we should parse the external_url using urlparse and validate its hostname explicitly. This ensures that the URL is properly interpreted and avoids substring-based checks, which are prone to errors. Specifically, we will extract the hostname from the parsed URL and verify that it matches github.com or a subdomain of github.com. This approach is more secure and aligns with best practices for URL validation.

Suggested changeset 1
src/feeds/ProjectFeed.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/feeds/ProjectFeed.py b/src/feeds/ProjectFeed.py
--- a/src/feeds/ProjectFeed.py
+++ b/src/feeds/ProjectFeed.py
@@ -113,3 +113,4 @@
 
-        if external_url.startswith('https://github.com'):
+        parsed_url = urlparse(external_url)
+        if parsed_url.hostname and (parsed_url.hostname == 'github.com' or parsed_url.hostname.endswith('.github.com')):
             return self._inject_github_repository_information(
EOF
@@ -113,3 +113,4 @@

if external_url.startswith('https://github.com'):
parsed_url = urlparse(external_url)
if parsed_url.hostname and (parsed_url.hostname == 'github.com' or parsed_url.hostname.endswith('.github.com')):
return self._inject_github_repository_information(
Copilot is powered by AI and may make mistakes. Always verify output.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think the statement may be at an arbitrary position works as you do startswith 🤷

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Anyway, the proposed solution seems easy to understand and if it passes CodeQL validation it won't do any harm .

@scottstraughan scottstraughan merged commit e20cdbb into main Jun 18, 2025
4 of 5 checks passed
@scottstraughan scottstraughan deleted the security-fixes branch June 18, 2025 11:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@carlewis carlewis carlewis approved these changes

@codeplaymax codeplaymax Awaiting requested review from codeplaymax

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@scottstraughan @carlewis