Fix URL security vulnerabilities (v1.2.2) #3
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Security issue: Unsafe URL construction from user-controlled package names
could lead to URL injection attacks.
Vulnerable code:
if package_name.startswith('github.com/'):
return f'https://{package_name}.git'
Attack examples:
- github.com/user/[email protected]/malicious
- github.com/../../etc/passwd
- github.com/user/repo#fragment?param=value
Fixes:
- Add validation for dangerous characters (@, #, ?, &, whitespace)
- Validate path structure and reject malformed paths
- Check for path traversal attempts (..)
- Whitelist safe characters (alphanumeric, /, -, _, .)
- Properly construct URLs with validated components
All 94 tests passing.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Security Release v1.2.2
This PR fixes multiple URL security vulnerabilities in repository URL validation and construction.
Security Issues Fixed
1. URL Spoofing via Arbitrary Position String Matching
Vulnerable patterns:
Attack examples:
evil-github.com-fake.ru→ matches"github.com" in urlhttps://malicious.com?redirect=github.com/evil→ matches domain checkevil.com/git+malicious→ matches"git+" in urlFix: Use
urlparse()to validate domain vianetlocproperty2. URL Injection via Unsafe URL Construction
Vulnerable code:
Attack examples:
github.com/user/[email protected]/maliciousgithub.com/../../etc/passwdgithub.com/user/repo#fragment?param=valueFix: Validate input before URL construction
@,#,?,&, whitespace../,-,_,.Changes
src/ossval/parsers/spdx.py
✅ Add
_is_git_url()helper method for safe URL validation✅ Parse URLs and check domain via
urlparse().netloc✅ Check protocol prefixes with
startswith()instead ofin✅ Fix 3 vulnerable checks in JSON and tag-value parsing
src/ossval/analyzers/repo_finder.py
✅ Fix
_is_valid_git_url()to parse URLs and check netloc✅ Fix
_normalize_git_url()to safely check domains✅ Fix
_find_go_repo()with input validation✅ Add dangerous character validation
✅ Add path traversal protection
src/ossval/core.py
✅ Fix GitHub health check to parse URL and validate netloc
✅ Replace unsafe
incheck with urlparse validationSecurity Improvements
✅ All domain checks use
urlparse().netloc == "domain.com"✅ Protocol checks use
startswith()instead of substring matching✅ Input validation prevents malicious package names
✅ Path traversal attacks blocked
✅ Character whitelisting for URL construction
Testing
pytest tests/ -v # 94 passed, 13 warnings in 8.10sAll existing tests pass. No functional regressions.
Impact
Version Bump
1.2.1→1.2.2