From cc58473842598216cc382efdff929f60cc22c2de Mon Sep 17 00:00:00 2001 From: Arpit Jain <3242828+arpitjain099@users.noreply.github.com> Date: Sun, 20 Oct 2024 14:20:48 +0900 Subject: [PATCH] Fix code scanning alert no. 22: Full server-side request forgery Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .../app/backend/data_client/data_client.py | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/End_to_end_Solutions/AOAISearchDemo/app/backend/data_client/data_client.py b/End_to_end_Solutions/AOAISearchDemo/app/backend/data_client/data_client.py index 16beca3c..a812fc22 100644 --- a/End_to_end_Solutions/AOAISearchDemo/app/backend/data_client/data_client.py +++ b/End_to_end_Solutions/AOAISearchDemo/app/backend/data_client/data_client.py @@ -21,8 +21,20 @@ class HttpMethod(Enum): DELETE="DELETE" def __init__(self, base_uri: str, logger: CustomLogger): - self.base_uri = base_uri + self.base_uri = self._validate_base_uri(base_uri) self.logger = logger + + def _validate_base_uri(self, base_uri: str) -> str: + # Ensure the base_uri is a trusted URL + if not base_uri.startswith("https://trusted-domain.com"): + raise ValueError("Invalid base URI") + return base_uri + + def _sanitize_path(self, path: str) -> str: + # Sanitize the path to prevent malicious input + if ".." in path or path.startswith("/"): + raise ValueError("Invalid path") + return path def check_chat_session(self, user_id: str, conversation_id: str) -> bool: path = f"/check-chat-session/{user_id}/{conversation_id}" @@ -113,6 +125,7 @@ def get_user_resources(self, user_id: str) -> List[ResourceProfile]: @retry(reraise=True, stop = stop_after_attempt(3), wait = wait_exponential(multiplier = 1, max = 60)) def _make_request(self, path: str, method: HttpMethod, payload: Optional[dict] = None) -> str: + path = self._sanitize_path(path) headers = self.logger.get_converation_and_dialog_ids() properties = self.logger.get_updated_properties(headers)