Address PR review feedback

- Use permissions: {} per Hugo's suggestion (cherry-picker pattern)
- Fix protocol-relative URL bypass (//evil.com) in event detail and
  isSafeImageSrc
- Use PurePosixPath + part filtering for robust path traversal
  prevention in MediaMigrationView
- var -> let in JS

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: JacobCoffee

.github/workflows/ci.yml

@@ -2,8 +2,7 @@ name: CI
 
 on: [push, pull_request, workflow_dispatch]
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   migrations:

.github/workflows/static.yml

@@ -2,8 +2,7 @@ name: Check collectstatic
 
 on: [push, pull_request, workflow_dispatch]
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   collectstatic:

apps/events/templates/events/event_detail.html

@@ -184,8 +184,8 @@ <h3 class="widget-title">More events in <!-- The current category--><a href="{{
 <script>
 $(function(){
     $('#dataRangeSelect').change(function(e) {
-        var url = $(this).val();
-        if (url && url.charAt(0) === '/') {
+        let url = $(this).val();
+        if (url && url.charAt(0) === '/' && url.charAt(1) !== '/') {
             window.location = url;
         }
     });

pydotorg/views.py

@@ -4,7 +4,7 @@
 import json
 import re
 from collections import defaultdict
-from pathlib import Path
+from pathlib import Path, PurePosixPath
 
 from django.conf import settings
 from django.http import HttpResponse, JsonResponse
@@ -84,9 +84,11 @@ class MediaMigrationView(RedirectView):
 
     def get_redirect_url(self, *args, **kwargs):
         """Build the S3 redirect URL from the media path."""
-        image_path = kwargs["url"]
-        # Sanitize path to prevent open redirect via path traversal
-        image_path = image_path.lstrip("/").replace("../", "")
+        # Normalize path to prevent traversal (../, ....//,  %2e%2e/, etc.)
+        image_path = PurePosixPath(kwargs["url"]).as_posix().lstrip("/")
+        # Collapse any remaining parent references after normalization
+        parts = [p for p in image_path.split("/") if p not in (".", "..")]
+        image_path = "/".join(parts)
         if self.prefix:
             image_path = f"{self.prefix}/{image_path}"
         return f"{settings.AWS_S3_ENDPOINT_URL}/{settings.AWS_STORAGE_BUCKET_NAME}/{image_path}"

static/js/sponsors/applicationForm.js

@@ -2,10 +2,10 @@ const DESKTOP_WIDTH_LIMIT = 1200;
 
 function isSafeImageSrc(url) {
   if (!url) return false;
-  // Allow relative URLs and data URIs for static assets
-  if (url.charAt(0) === '/' || url.indexOf('/static/') === 0) return true;
+  // Allow relative URLs starting with / (but not protocol-relative //)
+  if (url.charAt(0) === '/' && url.charAt(1) !== '/') return true;
   try {
-    var parsed = new URL(url, window.location.origin);
+    let parsed = new URL(url, window.location.origin);
     return parsed.origin === window.location.origin;
   } catch (e) {
     return false;