Django upgrade 5 #2777
Django upgrade 5 #2777
Conversation
ukanga
force-pushed
the
django-upgrade-5
branch
from
a2ff833 to
8c48677
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| response = requests.head( | ||
| cleaned_url, | ||
| allow_redirects=True, | ||
| timeout=DEFAULT_REQUEST_TIMEOUT, | ||
| ) |
Check failure
Code scanning / CodeQL
Full server-side request forgery Critical
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 19 days ago
To fix the SSRF vulnerability, we need to ensure that the user-provided URL is properly validated before being used in HTTP requests. One way to achieve this is by using a whitelist of allowed domains and ensuring that the user-provided URL belongs to one of these domains. This approach prevents the user from directing the request to an unintended server.
- Define a list of allowed domains.
- Parse the user-provided URL and check if its domain is in the allowed list.
- Only proceed with the HTTP request if the domain is valid.
| @@ -19,2 +19,3 @@ | ||
| import requests | ||
| from urllib.parse import urlparse | ||
| from registration.forms import RegistrationFormUniqueEmail | ||
| @@ -407,5 +408,9 @@ | ||
|
|
||
| allowed_domains = ["example.com", "anotherdomain.com"] | ||
| if cleaned_url: | ||
| self.validate(cleaned_url) | ||
| cleaned_xls_file = urlparse(cleaned_url) | ||
| parsed_url = urlparse(cleaned_url) | ||
| if parsed_url.netloc not in allowed_domains: | ||
| raise forms.ValidationError(_("Invalid URL domain.")) | ||
| cleaned_xls_file = parsed_url | ||
| cleaned_xls_file = "_".join(cleaned_xls_file.path.split("/")[-2:]) |
| @@ -420,7 +425,7 @@ | |||
| cleaned_xls_file = get_filename(response) | |||
|
|
|||
| cleaned_xls_file = upload_to(None, cleaned_xls_file, user.username) | |||
| response = requests.get(cleaned_url) | |||
| response = requests.get(cleaned_url, timeout=DEFAULT_REQUEST_TIMEOUT) | |||
Check failure
Code scanning / CodeQL
Full server-side request forgery Critical
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 19 days ago
To fix the problem, we need to ensure that the user-provided URL is properly validated before being used in an HTTP request. One way to do this is to use a whitelist of allowed domains or perform strict validation to ensure the URL points to a trusted domain.
The best way to fix this without changing existing functionality is to add a validation step that checks if the URL belongs to a trusted domain. We can use the URLValidator from Django to validate the URL format and then check the domain against a whitelist.
| @@ -24,2 +24,3 @@ | ||
| from onadata.apps.logger.models import Project | ||
|
|
||
| from onadata.apps.main.models import UserProfile | ||
| @@ -408,3 +409,3 @@ | ||
| if cleaned_url: | ||
| self.validate(cleaned_url) | ||
| if not is_valid_url(cleaned_url): | ||
| cleaned_xls_file = urlparse(cleaned_url) |
| @@ -157,7 +159,9 @@ | |||
| filename = media.data_value.split("/")[-1] | |||
| data_file = NamedTemporaryFile() | |||
| content_type = mimetypes.guess_type(filename) | |||
| with closing(requests.get(media.data_value, stream=True)) as resp: | |||
| with closing( | |||
| requests.get(media.data_value, stream=True, timeout=DEFAULT_REQUEST_TIMEOUT) | |||
Check failure
Code scanning / CodeQL
Full server-side request forgery Critical
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 18 days ago
To fix the problem, we need to ensure that the URL used in the requests.get method is validated against a whitelist of allowed domains. This can be achieved by implementing a function that checks if the URL's domain is in a predefined list of allowed domains before making the request.
- Define a list of allowed domains.
- Implement a function to validate the URL against this list.
- Use this function to validate
media.data_valuebefore making the request.
| @@ -28,2 +28,3 @@ | ||
| import requests | ||
| from urllib.parse import urlparse | ||
|
|
||
| @@ -155,5 +156,12 @@ | ||
|
|
||
| ALLOWED_DOMAINS = ["example.com", "anotherdomain.com"] | ||
|
|
||
| def is_allowed_domain(url): | ||
| """Check if the URL's domain is in the allowed list.""" | ||
| parsed_url = urlparse(url) | ||
| return parsed_url.netloc in ALLOWED_DOMAINS | ||
|
|
||
| def create_media(media): | ||
| """Download media link""" | ||
| if is_valid_url(media.data_value): | ||
| if is_valid_url(media.data_value) and is_allowed_domain(media.data_value): | ||
| filename = media.data_value.split("/")[-1] |
ukanga
force-pushed
the
django-upgrade-5
branch
from
e9dd65e to
3b1fa55
Compare
|
|
||
| # get exact choices element from choice abbreviated xpath | ||
| fruita_o = xform.get_survey_element("a/fruita/orange") | ||
| self.assertEqual(fruita_o.get_abbreviated_xpath(), "a/fruita/orange") | ||
| # fruita_o = xform.get_survey_element("a/fruita/orange") |
There was a problem hiding this comment.
@ukanga Why were these tests commented?
… using django.core.files.storage.storages
Function removed from pyxform codebase
Function removed from pyxform codebase
no need to test with build charts functionality
… google-auth package
- Update to python 3.10.16 from 3.10.14 - Add debian bookworm unstable to include newer glibc
JSON structure changed in pyxform==3.0.0, saved JSON might fail to recreate a survey element
Not in use and package needs to be updated.
choices only option for select questions
Not in use and package needs to be updated.
ukanga
force-pushed
the
django-upgrade-5
branch
from
3846ac3 to
11d1952
Compare
Changes / Features implemented
Steps taken to verify this change does what is intended
Side effects of implementing this change
Before submitting this PR for review, please make sure you have:
Closes #