Skip to content

Commit 7c6324a

Browse files
mprpicclaude
andcommitted
fix: use proper URL parsing for GitHub API domain
Replace substring check with urlparse hostname comparison to prevent potential bypass via crafted URLs. Resolves CodeQL alert py/incomplete-url-substring-sanitization (CWE-20): https://github.com/python-wheel-build/fromager/security/code-scanning/1 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Martin Prpič <mprpic@redhat.com>
1 parent d86f938 commit 7c6324a

1 file changed

Lines changed: 2 additions & 1 deletion

File tree

src/fromager/http_retry.py

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@
1818
import random
1919
import time
2020
import typing
21+
from urllib.parse import urlparse
2122

2223
import requests
2324
from requests.adapters import HTTPAdapter
@@ -156,7 +157,7 @@ def send(
156157
if (
157158
response.status_code == 403
158159
and request.url is not None
159-
and "api.github.com" in request.url
160+
and urlparse(request.url).hostname == "api.github.com"
160161
and "rate limit" in response.text.lower()
161162
):
162163
self._handle_github_rate_limit(response, attempt, max_attempts)

0 commit comments

Comments
 (0)