You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have made attempts to validate the inputs used in the FastAPI endpoint, making sure that they are from a list of approved entries, and checking the string to make sure that only certain characters are permitted.
If this is not a false positive, advice on what I could improve would be appreciated.
Code samples or links to source code
This is a FastAPI endpoint to return specific packages from an MSYS2 repo to client PCs that cannot see the wider internet.
importrefromurllib.parseimportquoteimportrequestsfromfastapiimportAPIRouter, HTTPException, Response# Set up FastAPI routermsys2=APIRouter(prefix="/msys2")
# List of valid inputs, used over multiple endpointsvalid_env= ("msys", "mingw")
valid_msys= ("i686", "x86_64")
valid_mingw= (
"clang32",
"clang64",
"clangarm64",
"i686",
"mingw32",
"mingw64",
"sources",
"ucrt64",
"x86_64",
)
@msys2.get("/{environment}/{architecture}/{package}", response_class=Response)defget_msys2_package_file(
environment: str,
architecture: str,
package: str,
) ->Response:
""" Obtain and pass through a specific download for an MSYS2 package. """# Validate environmentifenvironmentnotinvalid_env:
raiseValueError(f"{environment!r} is not a valid msys2 environment")
# Validate architecture for each environmentifenvironment=="msys"andarchitecturenotinvalid_msys:
raiseValueError(f"{architecture!r} is not a valid msys architecture")
elifenvironment=="mingw"andarchitecturenotinvalid_mingw:
raiseValueError(f"{architecture!r} is not a valid mingw architecture")
# Validate package nameifbool(re.fullmatch(r"^[\w\s\.\-]+$", package)) isFalse:
raiseValueError(f"{package!r} is not a valid package name")
# Construct URL to main MSYS repo and get responsepackage_url=f"https://repo.msys2.org/{quote(environment)}/{quote(architecture)}/{quote(package)}"package_file=requests.get(package_url)
ifpackage_file.status_code==200:
returnResponse(
content=package_file.content,
media_type=package_file.headers.get("Content-Type"),
status_code=package_file.status_code,
)
else:
raiseHTTPException(status_code=package_file.status_code)
URL to the alert on GitHub code scanning (optional)
Resolving this issue is not a current product priority, but we acknowledge the report and will track it internally for future consideration, or if we observe repeated instances of the same problem.
Hi @hvitved , that's good enough. I mainly wanted confirmation as to whether this was a false positive or an actual error on my part, and I have received confirmation that it is indeed a false positive (https://security.stackexchange.com/a/278538/309008). Keep up the good work with CodeQL!
Description of the false positive
I have made attempts to validate the inputs used in the FastAPI endpoint, making sure that they are from a list of approved entries, and checking the string to make sure that only certain characters are permitted.
If this is not a false positive, advice on what I could improve would be appreciated.
Code samples or links to source code
This is a FastAPI endpoint to return specific packages from an MSYS2 repo to client PCs that cannot see the wider internet.
URL to the alert on GitHub code scanning (optional)
https://github.com/DiamondLightSource/python-murfey/security/code-scanning/402
The text was updated successfully, but these errors were encountered: