-
-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resolved ssrf vulnerability #2657
Conversation
🔍 Existing Issues For ReviewYour pull request is modifying functions with the following pre-existing issues: 📄 File: website/views.py
Did you find this useful? React with a 👍 or 👎 |
company_name = request.POST.get("company") | ||
company = Company.objects.filter(name=company_name).first() | ||
|
||
if not company: | ||
try: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is very basic check for company name in the response body. Let's at least check that the request isn't being redirected to another location (status code 200 might work)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have made the changes, plz do check if this satisfies the requirements. Thank you.
# back to the domain detail page | ||
return redirect("domain", slug=domain.url) | ||
try: | ||
response = requests.get(domain.url, allow_redirects=False) |
Check failure
Code scanning / CodeQL
Full server-side request forgery Critical
user-provided value
can you please fix the conflicts? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you please fix the conflicts?
On It. Will try to fix this asap. |
We split this file up |
PR Desc:
This pr is regarding the issue in the server-side request forgery vulnerability. This pr aims to fix #2650 .