Potential fix for code scanning alert no. 35: Incomplete URL substring sanitization #25237
Conversation
…g sanitization Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
NordicBuilder
added
the
changelog-entry-required
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| if (package.name is None) and ('github.com' in package.url): | ||
| offs = package.url.find('github.com') + len('github.com') + 1 | ||
| parsed_url = urlparse(package.url) | ||
| if (package.name is None) and (parsed_url.hostname and parsed_url.hostname.lower().endswith("github.com")): |
Check failure
Code scanning / CodeQL
Incomplete URL substring sanitization High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
To fix the problem, we must parse the hostname and ensure that it represents the expected host. The best way to ensure robust handling is to check that the hostname either exactly matches "github.com" or ends with ".github.com", which safely includes the root domain and any direct subdomains, but excludes things like evil-github.com. Modify the block in scripts/west_commands/sbom/output_pre_process.py that checks parsed_url.hostname.lower().endswith("github.com") to instead check:
hostname = parsed_url.hostname.lower()
if package.name is None and (hostname == "github.com" or hostname.endswith(".github.com")):
...No additional imports are needed, and all changes are local to this function.
| @@ -99,7 +99,8 @@ | ||
| if package.url is None: | ||
| continue | ||
| parsed_url = urlparse(package.url) | ||
| if (package.name is None) and (parsed_url.hostname and parsed_url.hostname.lower().endswith("github.com")): | ||
| hostname = parsed_url.hostname.lower() if parsed_url.hostname else "" | ||
| if (package.name is None) and (hostname == "github.com" or hostname.endswith(".github.com")): | ||
| offs = package.url.find(parsed_url.hostname) + len(parsed_url.hostname) + 1 | ||
| package.name = package.url[offs:] | ||
| if package.name.endswith('.git'): |
CI InformationTo view the history of this post, click the 'edited' button above Inputs:Sources:more detailsGithub labels
List of changed files detected by CI (0)Outputs:ToolchainVersion: Test Spec & Results: ✅ Success; ❌ Failure; 🟠 Queued; 🟡 Progress; ◻️ Skipped;
|
Potential fix for https://github.com/nrfconnect/sdk-nrf/security/code-scanning/35
To fix this, the code should correctly determine whether a package URL truly references GitHub as its host/domain. Instead of
'github.com' in package.url, we should parse the URL using Python'surllib.parsemodule and check if the netloc (hostname part) is exactlygithub.com. Additionally, it's common for GitHub URLs to start withwww.github.com, so we should ideally accept both.Specifically, in the referenced region (lines 101–106), replace the substring search with:
urlparsegithub.com(optionally includingwww.github.com)You will need to import
urlparsefromurllib.parse, if not already done.Suggested fixes powered by Copilot Autofix. Review carefully before merging.