Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

POC Assessment Config #153

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

POC Assessment Config #153

wants to merge 4 commits into from

Conversation

albertkol
Copy link
Contributor

POC Assessment Config

@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Dec 16, 2024

Quality Gate Failed Quality Gate failed

Failed conditions
5 Security Hotspots
14.9% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud

github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 16, 2024
View reviewed changes
app/blueprints/fund_builder/routes.py
delete_criteria_from_round(criteria_id=request.args.get("criteria_id"), round_id=round_id)

# send them where they came from
return redirect(request.referrer)

Check warning

Code scanning / CodeQL

URL redirection from remote source Medium

Untrusted URL redirection depends on a
user-provided value
Loading
.

Copilot Autofix AI about 10 hours ago

To fix the problem, we need to validate the request.referrer before using it in a redirect. One way to do this is to ensure that the referrer URL does not include an explicit host name, making it a relative URL. This can be achieved using the urlparse function from the Python standard library. We will also replace backslashes with forward slashes to handle potential browser quirks.

  1. Import the urlparse function from the urllib.parse module.
  2. Replace backslashes in request.referrer with forward slashes.
  3. Check that the netloc and scheme attributes of the parsed URL are empty.
  4. If the validation fails, redirect to a safe default URL (e.g., the home page).
Suggested changeset 1
app/blueprints/fund_builder/routes.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/app/blueprints/fund_builder/routes.py b/app/blueprints/fund_builder/routes.py
--- a/app/blueprints/fund_builder/routes.py
+++ b/app/blueprints/fund_builder/routes.py
@@ -7,3 +7,3 @@
 from random import randint
-
+from urllib.parse import urlparse
 import requests
@@ -131,3 +131,6 @@
         # send them where they came from
-        return redirect(request.referrer)
+        referrer = request.referrer.replace('\\', '/')
+        if not urlparse(referrer).netloc and not urlparse(referrer).scheme:
+            return redirect(referrer)
+        return redirect(url_for("build_fund_bp.dashboard"))
 
EOF
@@ -7,3 +7,3 @@
from random import randint

from urllib.parse import urlparse
import requests
@@ -131,3 +131,6 @@
# send them where they came from
return redirect(request.referrer)
referrer = request.referrer.replace('\\', '/')
if not urlparse(referrer).netloc and not urlparse(referrer).scheme:
return redirect(referrer)
return redirect(url_for("build_fund_bp.dashboard"))

Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
app/blueprints/fund_builder/routes.py
move_criteria_up(round_id=round_id, index_to_move_up=int(request.args.get("index")))

# send them where they came from
return redirect(request.referrer)

Check warning

Code scanning / CodeQL

URL redirection from remote source Medium

Untrusted URL redirection depends on a
user-provided value
Loading
.

Copilot Autofix AI about 10 hours ago

To fix the problem, we need to validate the request.referrer before using it in a redirect. One way to do this is to ensure that the referrer is a relative URL or belongs to a list of allowed hosts. We can use the urlparse function from the Python standard library to parse the URL and check that the netloc attribute is empty, indicating a relative URL. If the referrer is not valid, we should redirect to a safe default URL, such as the home page.

Suggested changeset 1
app/blueprints/fund_builder/routes.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/app/blueprints/fund_builder/routes.py b/app/blueprints/fund_builder/routes.py
--- a/app/blueprints/fund_builder/routes.py
+++ b/app/blueprints/fund_builder/routes.py
@@ -86,2 +86,3 @@
 from config import Config
+from urllib.parse import urlparse
 
@@ -97,2 +98,7 @@
 
+def validate_referrer(referrer):
+    referrer = referrer.replace('\\', '')
+    if not urlparse(referrer).netloc and not urlparse(referrer).scheme:
+        return referrer
+    return url_for("build_fund_bp.dashboard")
 
@@ -131,3 +137,3 @@
         # send them where they came from
-        return redirect(request.referrer)
+        return redirect(validate_referrer(request.referrer))
 
@@ -137,3 +143,3 @@
         # send them where they came from
-        return redirect(request.referrer)
+        return redirect(validate_referrer(request.referrer))
 
@@ -143,3 +149,3 @@
         # send them where they came from
-        return redirect(request.referrer)
+        return redirect(validate_referrer(request.referrer))
 
EOF
@@ -86,2 +86,3 @@
from config import Config
from urllib.parse import urlparse

@@ -97,2 +98,7 @@

def validate_referrer(referrer):
referrer = referrer.replace('\\', '')
if not urlparse(referrer).netloc and not urlparse(referrer).scheme:
return referrer
return url_for("build_fund_bp.dashboard")

@@ -131,3 +137,3 @@
# send them where they came from
return redirect(request.referrer)
return redirect(validate_referrer(request.referrer))

@@ -137,3 +143,3 @@
# send them where they came from
return redirect(request.referrer)
return redirect(validate_referrer(request.referrer))

@@ -143,3 +149,3 @@
# send them where they came from
return redirect(request.referrer)
return redirect(validate_referrer(request.referrer))

Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
app/blueprints/fund_builder/routes.py
move_criteria_down(round_id=round_id, index_to_move_down=int(request.args.get("index")))

# send them where they came from
return redirect(request.referrer)

Check warning

Code scanning / CodeQL

URL redirection from remote source Medium

Untrusted URL redirection depends on a
user-provided value
Loading
.

Copilot Autofix AI about 10 hours ago

To fix the problem, we need to validate the request.referrer value before using it in the redirect function. We can use the urlparse function from the Python standard library to ensure that the referrer is a relative URL and does not contain an explicit host name. This will prevent open redirect vulnerabilities by ensuring that only safe, relative URLs are used for redirection.

Suggested changeset 1
app/blueprints/fund_builder/routes.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/app/blueprints/fund_builder/routes.py b/app/blueprints/fund_builder/routes.py
--- a/app/blueprints/fund_builder/routes.py
+++ b/app/blueprints/fund_builder/routes.py
@@ -7,2 +7,3 @@
 from random import randint
+from urllib.parse import urlparse
 
@@ -131,3 +132,8 @@
         # send them where they came from
-        return redirect(request.referrer)
+        referrer = request.referrer
+        if referrer:
+            referrer = referrer.replace('\\', '')
+            if not urlparse(referrer).netloc and not urlparse(referrer).scheme:
+                return redirect(referrer)
+        return redirect(url_for("build_fund_bp.dashboard"))
 
@@ -137,3 +143,8 @@
         # send them where they came from
-        return redirect(request.referrer)
+        referrer = request.referrer
+        if referrer:
+            referrer = referrer.replace('\\', '')
+            if not urlparse(referrer).netloc and not urlparse(referrer).scheme:
+                return redirect(referrer)
+        return redirect(url_for("build_fund_bp.dashboard"))
 
@@ -143,3 +154,8 @@
         # send them where they came from
-        return redirect(request.referrer)
+        referrer = request.referrer
+        if referrer:
+            referrer = referrer.replace('\\', '')
+            if not urlparse(referrer).netloc and not urlparse(referrer).scheme:
+                return redirect(referrer)
+        return redirect(url_for("build_fund_bp.dashboard"))
 
EOF
@@ -7,2 +7,3 @@
from random import randint
from urllib.parse import urlparse

@@ -131,3 +132,8 @@
# send them where they came from
return redirect(request.referrer)
referrer = request.referrer
if referrer:
referrer = referrer.replace('\\', '')
if not urlparse(referrer).netloc and not urlparse(referrer).scheme:
return redirect(referrer)
return redirect(url_for("build_fund_bp.dashboard"))

@@ -137,3 +143,8 @@
# send them where they came from
return redirect(request.referrer)
referrer = request.referrer
if referrer:
referrer = referrer.replace('\\', '')
if not urlparse(referrer).netloc and not urlparse(referrer).scheme:
return redirect(referrer)
return redirect(url_for("build_fund_bp.dashboard"))

@@ -143,3 +154,8 @@
# send them where they came from
return redirect(request.referrer)
referrer = request.referrer
if referrer:
referrer = referrer.replace('\\', '')
if not urlparse(referrer).netloc and not urlparse(referrer).scheme:
return redirect(referrer)
return redirect(url_for("build_fund_bp.dashboard"))

Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
app/blueprints/fund_builder/routes.py
)

# send them where they came from
return redirect(request.referrer)

Check warning

Code scanning / CodeQL

URL redirection from remote source Medium

Untrusted URL redirection depends on a
user-provided value
Loading
.

Copilot Autofix AI about 10 hours ago

To fix the problem, we need to validate the request.referrer before using it in the redirect function. We can use the urlparse function from the Python standard library to ensure that the referrer is a relative URL and does not contain an explicit host name. This will prevent redirection to external sites.

  1. Import the urlparse function from the urllib.parse module.
  2. Replace the direct use of request.referrer with a validated version.
  3. Ensure that the referrer is a relative URL by checking that the netloc attribute is empty.
Suggested changeset 1
app/blueprints/fund_builder/routes.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/app/blueprints/fund_builder/routes.py b/app/blueprints/fund_builder/routes.py
--- a/app/blueprints/fund_builder/routes.py
+++ b/app/blueprints/fund_builder/routes.py
@@ -19,2 +19,3 @@
 from flask import url_for
+from urllib.parse import urlparse
 from fsd_utils.authentication.decorators import login_requested
@@ -97,2 +98,5 @@
 
+def is_safe_url(target):
+    ref_url = urlparse(target)
+    return not ref_url.netloc and not ref_url.scheme
 
@@ -131,3 +135,5 @@
         # send them where they came from
-        return redirect(request.referrer)
+        if is_safe_url(request.referrer):
+            return redirect(request.referrer)
+        return redirect(url_for("build_fund_bp.dashboard"))
 
@@ -137,3 +143,5 @@
         # send them where they came from
-        return redirect(request.referrer)
+        if is_safe_url(request.referrer):
+            return redirect(request.referrer)
+        return redirect(url_for("build_fund_bp.dashboard"))
 
@@ -143,3 +151,5 @@
         # send them where they came from
-        return redirect(request.referrer)
+        if is_safe_url(request.referrer):
+            return redirect(request.referrer)
+        return redirect(url_for("build_fund_bp.dashboard"))
 
@@ -165,3 +175,5 @@
         # send them where they came from
-        return redirect(request.referrer)
+        if is_safe_url(request.referrer):
+            return redirect(request.referrer)
+        return redirect(url_for("build_fund_bp.dashboard"))
 
EOF
@@ -19,2 +19,3 @@
from flask import url_for
from urllib.parse import urlparse
from fsd_utils.authentication.decorators import login_requested
@@ -97,2 +98,5 @@

def is_safe_url(target):
ref_url = urlparse(target)
return not ref_url.netloc and not ref_url.scheme

@@ -131,3 +135,5 @@
# send them where they came from
return redirect(request.referrer)
if is_safe_url(request.referrer):
return redirect(request.referrer)
return redirect(url_for("build_fund_bp.dashboard"))

@@ -137,3 +143,5 @@
# send them where they came from
return redirect(request.referrer)
if is_safe_url(request.referrer):
return redirect(request.referrer)
return redirect(url_for("build_fund_bp.dashboard"))

@@ -143,3 +151,5 @@
# send them where they came from
return redirect(request.referrer)
if is_safe_url(request.referrer):
return redirect(request.referrer)
return redirect(url_for("build_fund_bp.dashboard"))

@@ -165,3 +175,5 @@
# send them where they came from
return redirect(request.referrer)
if is_safe_url(request.referrer):
return redirect(request.referrer)
return redirect(url_for("build_fund_bp.dashboard"))

Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
app/blueprints/fund_builder/routes.py
delete_subcriteria_from_criteria(subcriteria_id=request.args.get("subcriteria_id"), criteria_id=criteria_id)

# send them where they came from
return redirect(request.referrer)

Check warning

Code scanning / CodeQL

URL redirection from remote source Medium

Untrusted URL redirection depends on a
user-provided value
Loading
.

Copilot Autofix AI about 10 hours ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

app/blueprints/fund_builder/routes.py
delete_theme_from_subcriteria(theme_id=request.args.get("theme_id"), subcriteria_id=subcriteria_id)

# send them where they came from
return redirect(request.referrer)

Check warning

Code scanning / CodeQL

URL redirection from remote source Medium

Untrusted URL redirection depends on a
user-provided value
Loading
.

Copilot Autofix AI about 10 hours ago

To fix the problem, we need to validate the request.referrer before using it in a redirect. One way to do this is to ensure that the referrer is a relative URL or belongs to a list of allowed hosts. We can use the urlparse function from the Python standard library to parse the URL and check that the netloc attribute is empty, indicating a relative URL. If the referrer is not valid, we should redirect to a safe default URL, such as the home page.

Suggested changeset 1
app/blueprints/fund_builder/routes.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/app/blueprints/fund_builder/routes.py b/app/blueprints/fund_builder/routes.py
--- a/app/blueprints/fund_builder/routes.py
+++ b/app/blueprints/fund_builder/routes.py
@@ -19,2 +19,3 @@
 from flask import url_for
+from urllib.parse import urlparse
 from fsd_utils.authentication.decorators import login_requested
@@ -290,3 +291,8 @@
         # send them where they came from
-        return redirect(request.referrer)
+        referrer = request.referrer
+        if referrer:
+            referrer = referrer.replace('\\', '')
+            if not urlparse(referrer).netloc and not urlparse(referrer).scheme:
+                return redirect(referrer)
+        return redirect(url_for(BUILD_FUND_BP_DASHBOARD))
 
@@ -296,3 +302,8 @@
         # send them where they came from
-        return redirect(request.referrer)
+        referrer = request.referrer
+        if referrer:
+            referrer = referrer.replace('\\', '')
+            if not urlparse(referrer).netloc and not urlparse(referrer).scheme:
+                return redirect(referrer)
+        return redirect(url_for(BUILD_FUND_BP_DASHBOARD))
 
@@ -302,3 +313,8 @@
         # send them where they came from
-        return redirect(request.referrer)
+        referrer = request.referrer
+        if referrer:
+            referrer = referrer.replace('\\', '')
+            if not urlparse(referrer).netloc and not urlparse(referrer).scheme:
+                return redirect(referrer)
+        return redirect(url_for(BUILD_FUND_BP_DASHBOARD))
 
@@ -320,3 +336,8 @@
         # send them where they came from
-        return redirect(request.referrer)
+        referrer = request.referrer
+        if referrer:
+            referrer = referrer.replace('\\', '')
+            if not urlparse(referrer).netloc and not urlparse(referrer).scheme:
+                return redirect(referrer)
+        return redirect(url_for(BUILD_FUND_BP_DASHBOARD))
 
EOF
@@ -19,2 +19,3 @@
from flask import url_for
from urllib.parse import urlparse
from fsd_utils.authentication.decorators import login_requested
@@ -290,3 +291,8 @@
# send them where they came from
return redirect(request.referrer)
referrer = request.referrer
if referrer:
referrer = referrer.replace('\\', '')
if not urlparse(referrer).netloc and not urlparse(referrer).scheme:
return redirect(referrer)
return redirect(url_for(BUILD_FUND_BP_DASHBOARD))

@@ -296,3 +302,8 @@
# send them where they came from
return redirect(request.referrer)
referrer = request.referrer
if referrer:
referrer = referrer.replace('\\', '')
if not urlparse(referrer).netloc and not urlparse(referrer).scheme:
return redirect(referrer)
return redirect(url_for(BUILD_FUND_BP_DASHBOARD))

@@ -302,3 +313,8 @@
# send them where they came from
return redirect(request.referrer)
referrer = request.referrer
if referrer:
referrer = referrer.replace('\\', '')
if not urlparse(referrer).netloc and not urlparse(referrer).scheme:
return redirect(referrer)
return redirect(url_for(BUILD_FUND_BP_DASHBOARD))

@@ -320,3 +336,8 @@
# send them where they came from
return redirect(request.referrer)
referrer = request.referrer
if referrer:
referrer = referrer.replace('\\', '')
if not urlparse(referrer).netloc and not urlparse(referrer).scheme:
return redirect(referrer)
return redirect(url_for(BUILD_FUND_BP_DASHBOARD))

Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
app/blueprints/fund_builder/routes.py
move_theme_up(subcriteria_id=subcriteria_id, index_to_move_up=int(request.args.get("index")))

# send them where they came from
return redirect(request.referrer)

Check warning

Code scanning / CodeQL

URL redirection from remote source Medium

Untrusted URL redirection depends on a
user-provided value
Loading
.

Copilot Autofix AI about 10 hours ago

To fix the problem, we need to validate the request.referrer before using it in a redirect. One way to do this is to ensure that the referrer is within the same host or a list of allowed hosts. We can use the urlparse function from the Python standard library to parse the URL and check that the netloc attribute matches the expected host.

We will modify the code in the theme function to validate the request.referrer before using it in a redirect. Specifically, we will add a check to ensure that the referrer is within the same host.

Suggested changeset 1
app/blueprints/fund_builder/routes.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/app/blueprints/fund_builder/routes.py b/app/blueprints/fund_builder/routes.py
--- a/app/blueprints/fund_builder/routes.py
+++ b/app/blueprints/fund_builder/routes.py
@@ -19,2 +19,3 @@
 from flask import url_for
+from urllib.parse import urlparse
 from fsd_utils.authentication.decorators import login_requested
@@ -88,3 +89,2 @@
 BUILD_FUND_BP_DASHBOARD = "build_fund_bp.dashboard"
-
 # Blueprint for routes used by v1 of FAB - using the DB
@@ -290,3 +290,8 @@
         # send them where they came from
-        return redirect(request.referrer)
+        referrer = request.referrer
+        if referrer:
+            referrer_url = urlparse(referrer)
+            if referrer_url.netloc == request.host:
+                return redirect(referrer)
+        return redirect(url_for(BUILD_FUND_BP_DASHBOARD))
 
@@ -296,3 +301,8 @@
         # send them where they came from
-        return redirect(request.referrer)
+        referrer = request.referrer
+        if referrer:
+            referrer_url = urlparse(referrer)
+            if referrer_url.netloc == request.host:
+                return redirect(referrer)
+        return redirect(url_for(BUILD_FUND_BP_DASHBOARD))
 
@@ -302,3 +312,8 @@
         # send them where they came from
-        return redirect(request.referrer)
+        referrer = request.referrer
+        if referrer:
+            referrer_url = urlparse(referrer)
+            if referrer_url.netloc == request.host:
+                return redirect(referrer)
+        return redirect(url_for(BUILD_FUND_BP_DASHBOARD))
 
EOF
@@ -19,2 +19,3 @@
from flask import url_for
from urllib.parse import urlparse
from fsd_utils.authentication.decorators import login_requested
@@ -88,3 +89,2 @@
BUILD_FUND_BP_DASHBOARD = "build_fund_bp.dashboard"

# Blueprint for routes used by v1 of FAB - using the DB
@@ -290,3 +290,8 @@
# send them where they came from
return redirect(request.referrer)
referrer = request.referrer
if referrer:
referrer_url = urlparse(referrer)
if referrer_url.netloc == request.host:
return redirect(referrer)
return redirect(url_for(BUILD_FUND_BP_DASHBOARD))

@@ -296,3 +301,8 @@
# send them where they came from
return redirect(request.referrer)
referrer = request.referrer
if referrer:
referrer_url = urlparse(referrer)
if referrer_url.netloc == request.host:
return redirect(referrer)
return redirect(url_for(BUILD_FUND_BP_DASHBOARD))

@@ -302,3 +312,8 @@
# send them where they came from
return redirect(request.referrer)
referrer = request.referrer
if referrer:
referrer_url = urlparse(referrer)
if referrer_url.netloc == request.host:
return redirect(referrer)
return redirect(url_for(BUILD_FUND_BP_DASHBOARD))

Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
app/blueprints/fund_builder/routes.py
move_theme_down(subcriteria_id=subcriteria_id, index_to_move_down=int(request.args.get("index")))

# send them where they came from
return redirect(request.referrer)

Check warning

Code scanning / CodeQL

URL redirection from remote source Medium

Untrusted URL redirection depends on a
user-provided value
Loading
.

Copilot Autofix AI about 10 hours ago

To fix the problem, we need to validate the request.referrer before using it in a redirect. One way to do this is to ensure that the referrer URL does not include an explicit host name, making it a relative URL. This can be achieved using the urlparse function from the Python standard library to parse the URL and check that the netloc attribute is empty. Additionally, we should handle backslashes and mistyped URLs as described in the background section.

Suggested changeset 1
app/blueprints/fund_builder/routes.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/app/blueprints/fund_builder/routes.py b/app/blueprints/fund_builder/routes.py
--- a/app/blueprints/fund_builder/routes.py
+++ b/app/blueprints/fund_builder/routes.py
@@ -7,2 +7,3 @@
 from random import randint
+from urllib.parse import urlparse
 
@@ -290,3 +291,6 @@
         # send them where they came from
-        return redirect(request.referrer)
+        referrer = request.referrer.replace('\\', '')
+        if not urlparse(referrer).netloc and not urlparse(referrer).scheme:
+            return redirect(referrer)
+        return redirect('/')
 
@@ -296,3 +300,6 @@
         # send them where they came from
-        return redirect(request.referrer)
+        referrer = request.referrer.replace('\\', '')
+        if not urlparse(referrer).netloc and not urlparse(referrer).scheme:
+            return redirect(referrer)
+        return redirect('/')
 
@@ -302,3 +309,6 @@
         # send them where they came from
-        return redirect(request.referrer)
+        referrer = request.referrer.replace('\\', '')
+        if not urlparse(referrer).netloc and not urlparse(referrer).scheme:
+            return redirect(referrer)
+        return redirect('/')
 
@@ -320,3 +330,6 @@
         # send them where they came from
-        return redirect(request.referrer)
+        referrer = request.referrer.replace('\\', '')
+        if not urlparse(referrer).netloc and not urlparse(referrer).scheme:
+            return redirect(referrer)
+        return redirect('/')
 
EOF
@@ -7,2 +7,3 @@
from random import randint
from urllib.parse import urlparse

@@ -290,3 +291,6 @@
# send them where they came from
return redirect(request.referrer)
referrer = request.referrer.replace('\\', '')
if not urlparse(referrer).netloc and not urlparse(referrer).scheme:
return redirect(referrer)
return redirect('/')

@@ -296,3 +300,6 @@
# send them where they came from
return redirect(request.referrer)
referrer = request.referrer.replace('\\', '')
if not urlparse(referrer).netloc and not urlparse(referrer).scheme:
return redirect(referrer)
return redirect('/')

@@ -302,3 +309,6 @@
# send them where they came from
return redirect(request.referrer)
referrer = request.referrer.replace('\\', '')
if not urlparse(referrer).netloc and not urlparse(referrer).scheme:
return redirect(referrer)
return redirect('/')

@@ -320,3 +330,6 @@
# send them where they came from
return redirect(request.referrer)
referrer = request.referrer.replace('\\', '')
if not urlparse(referrer).netloc and not urlparse(referrer).scheme:
return redirect(referrer)
return redirect('/')

Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
app/blueprints/fund_builder/routes.py
)

# send them where they came from
return redirect(request.referrer)

Check warning

Code scanning / CodeQL

URL redirection from remote source Medium

Untrusted URL redirection depends on a
user-provided value
Loading
.

Copilot Autofix AI about 10 hours ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

app/blueprints/fund_builder/routes.py
move_component_down(theme_id=theme_id, index_to_move_down=int(request.args.get("index")))

# send them where they came from
return redirect(request.referrer)

Check warning

Code scanning / CodeQL

URL redirection from remote source Medium

Untrusted URL redirection depends on a
user-provided value
Loading
.

Copilot Autofix AI about 10 hours ago

To fix the problem, we need to validate the request.referrer before using it in a redirect. One way to do this is to ensure that the referrer is a relative URL or belongs to a list of allowed hosts. We can use the urlparse function from the Python standard library to parse the URL and check that the netloc attribute is empty, indicating a relative URL. If the referrer is not valid, we should redirect to a safe default URL, such as the home page.

Suggested changeset 1
app/blueprints/fund_builder/routes.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/app/blueprints/fund_builder/routes.py b/app/blueprints/fund_builder/routes.py
--- a/app/blueprints/fund_builder/routes.py
+++ b/app/blueprints/fund_builder/routes.py
@@ -1,2 +1,3 @@
 import json
+from urllib.parse import urlparse
 import os
@@ -469,3 +470,8 @@
         # send them where they came from
-        return redirect(request.referrer)
+        referrer = request.referrer
+        if referrer:
+            referrer = referrer.replace('\\', '')
+            if not urlparse(referrer).netloc and not urlparse(referrer).scheme:
+                return redirect(referrer)
+        return redirect(url_for("build_fund_bp.theme", subcriteria_id=theme.subcriteria_id, theme_id=theme_id))
 
EOF
@@ -1,2 +1,3 @@
import json
from urllib.parse import urlparse
import os
@@ -469,3 +470,8 @@
# send them where they came from
return redirect(request.referrer)
referrer = request.referrer
if referrer:
referrer = referrer.replace('\\', '')
if not urlparse(referrer).netloc and not urlparse(referrer).scheme:
return redirect(referrer)
return redirect(url_for("build_fund_bp.theme", subcriteria_id=theme.subcriteria_id, theme_id=theme_id))

Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@albertkol