Skip to content

Small Security Fixes #82

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jun 18, 2025
Merged

Small Security Fixes #82

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
70299e9
Fixed issue GHSA-9hjg-9r4m-mvj7.
Jun 17, 2025
8c013a2
Fixes 'py/incomplete-url-substring-sanitization' error.
Jun 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,8 @@ Markdown==3.7 \
--hash=sha256:7eb6df5690b81a1d7942992c97fad2938e956e79df20cbc6186e9c3a77b1c803
PyYAML==6.0.1 \
--hash=sha256:bfdf460b1736c775f2ba9f6a92bca30bc2095067b8a9d77876d1fad6cc3b4a43
requests==2.32.3 \
--hash=sha256:70761cfe03c773ceb22aa2f671b4757976145175cdfca038c02654d061d6dcc6
requests==2.32.4 \
--hash=sha256:27babd3cda2a6d50b30443204ee89830707d396671944c998b5975b031ac2b2c
six==1.17.0 \
--hash=sha256:4721f391ed90541fddacab5acf947aa0d3dc7d27b2e1e8eda2be8970586c3274 \
--hash=sha256:ff70335d468e7eb6ec65b95b99d3a2836546063f63acc5171de367e834932a81
Expand Down
4 changes: 3 additions & 1 deletion src/feeds/ProjectFeed.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,9 @@
"""
Using GitHub, GitLab, Other APIs, load in more useful repository information.
"""
if 'github.com' in markdown_file.front_matter['external_url']:
external_url = str(markdown_file.front_matter['external_url'])

if external_url.startswith('https://github.com'):

Check failure

Code scanning / CodeQL

Incomplete URL substring sanitization High

The string
https://github.com
Loading
may be at an arbitrary position in the sanitized URL.

Copilot Autofix

AI 3 days ago

To fix the issue, we should parse the external_url using urlparse and validate its hostname explicitly. This ensures that the URL is properly interpreted and avoids substring-based checks, which are prone to errors. Specifically, we will extract the hostname from the parsed URL and verify that it matches github.com or a subdomain of github.com. This approach is more secure and aligns with best practices for URL validation.

Suggested changeset 1
src/feeds/ProjectFeed.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/feeds/ProjectFeed.py b/src/feeds/ProjectFeed.py
--- a/src/feeds/ProjectFeed.py
+++ b/src/feeds/ProjectFeed.py
@@ -113,3 +113,4 @@
 
-        if external_url.startswith('https://github.com'):
+        parsed_url = urlparse(external_url)
+        if parsed_url.hostname and (parsed_url.hostname == 'github.com' or parsed_url.hostname.endswith('.github.com')):
             return self._inject_github_repository_information(
EOF
@@ -113,3 +113,4 @@

if external_url.startswith('https://github.com'):
parsed_url = urlparse(external_url)
if parsed_url.hostname and (parsed_url.hostname == 'github.com' or parsed_url.hostname.endswith('.github.com')):
return self._inject_github_repository_information(
Copilot is powered by AI and may make mistakes. Always verify output.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think the statement may be at an arbitrary position works as you do startswith 🤷

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Anyway, the proposed solution seems easy to understand and if it passes CodeQL validation it won't do any harm .

return self._inject_github_repository_information(
json_feed_item, markdown_file)
elif 'gitlab_project_id' in markdown_file.front_matter:
Expand Down