Created
February 28, 2024 02:28
-
-
Save pi3ch/fe0e5c1dded38022d66c7bd7b6d22b5b to your computer and use it in GitHub Desktop.
The _validate_url method should prevent any URL that points to a local network (e.g. localhost). The following patch is submitted by a player. Do you think this patch has fixed the security bug?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def _validate_url(url: str): | |
| """Should prevent URLs that point to a local network (e.g. localhost) | |
| """ | |
| if search("localhost", url) is not None: | |
| raise Errors.ErrInvalidURL | |
| if search("/latest/meta-data", url) is not None: | |
| raise Errors.ErrInvalidURL | |
| if search("/etc/passwd", url) is not None: | |
| raise Errors.ErrInvalidURL | |
| if search("/computeMetadata", url) is not None: | |
| raise Errors.ErrInvalidURL | |
| if search(r"^http[s]?://.*", url) is None: | |
| raise Errors.ErrInvalidURL | |
| if search(r"(224.0.0.1|192.168.0.1|169.254.0.255)", url) is not None: | |
| raise Errors.ErrInvalidURL | |
| return None | |
| # Try this secure coding challenge on https://play.secdim.com/game/python/challenge/ssrfpy |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment