-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: implement paypal webhook refunds #309
feat: implement paypal webhook refunds #309
Conversation
except Exception as e: # pylint: disable=broad-exception-caught | ||
if not self._is_valid_url(url): | ||
raise ValueError("Invalid or untrusted URL provided") from e | ||
r = requests.get(url) # pylint: disable=missing-timeout |
Check failure
Code scanning / CodeQL
Full server-side request forgery
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI about 1 month ago
To fix the problem, we need to ensure that the URL used in the requests.get
call is fully validated and cannot be manipulated by an attacker. One way to achieve this is to maintain a list of authorized URLs on the server and choose from that list based on the input provided. Alternatively, we can enhance the validation to ensure that the URL is safe.
In this case, we will enhance the validation by ensuring that the URL path is also checked to prevent any potential SSRF attacks. We will modify the _is_valid_url
method to include this additional validation.
-
Copy modified lines R62-R63
@@ -61,2 +61,4 @@ | ||
return False | ||
if not parsed_url.path.startswith('/'): | ||
return False | ||
return True |
Coverage reportClick to see where and how coverage changed
This report was generated by python-coverage-comment-action |
4d53c9b
to
58c5896
Compare
handle paypal payment recipt url SONIC-784
ec251d6
to
d03d47a
Compare
Failing tests here are related to Paypal receipts which will be resolved in its own branch. |
Merge checklist:
Check off if complete or not applicable:
Post-merge: