Fix code scanning alert no. 18: Full server-side request forgery

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
arpitjain099 · Oct 20, 2024 · a9b392e · a9b392e
1 parent 97e6a6f
commit a9b392e
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/End_to_end_Solutions/InsightsGenerator/insights_generator/core/OAI_client.py b/End_to_end_Solutions/InsightsGenerator/insights_generator/core/OAI_client.py
@@ -3,12 +3,17 @@
 import os
 import pdb
 import tiktoken
+import urllib.parse
+
+def is_valid_url(url):
+    parsed_url = urllib.parse.urlparse(url)
+    return parsed_url.scheme in ["http", "https"] and parsed_url.netloc != ""
 
 def make_prompt_request(prompt, max_tokens = 2048, timeout = 4):
     # Whitelist of allowed URLs
     allowed_urls = ["https://api.openai.com/v1/embeddings", "https://another-trusted-url.com"]
     url = os.getenv("AOAI_ENDPOINT")
-    if url not in allowed_urls:
+    if not is_valid_url(url) or url not in allowed_urls:
         raise ValueError("The provided URL is not allowed.")
     key = os.getenv("AOAI_KEY")