fix: validate resolved URL scheme/authority in _substitute_url_template (F-07-01)#12
Merged
Merged
Conversation
…te (F-07-01) Mirror of the SecID-Service buildUrl fix (#17): the self-hosted resolver substituted query-derived values into a registry URL template via raw str.replace with no validation. _substitute_url_template now re-parses the assembled URL and returns None (callers drop to a description-only result) unless the scheme + netloc match the template's literal authority. Values are kept verbatim — identifiers legitimately contain ':' etc. (RHSA-2024:1234), so the authority check, not encoding, is what prevents an open redirect. Latent today (registry templates keep placeholders in path position); this is the resolver layer of the defense-in-depth URL-validation decision. Adds 2 regression tests; full suite 30 passed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…dation # Conflicts: # python/test_smoke.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Finding
F-07-01 — the Server-API (Python) half of the resolver-layer URL-validation, mirroring the Worker fix in SecID-Service#17. Closes Patch 06 across both resolvers.
_substitute_url_templatesubstituted query-derived values into a registry URL template via rawstr.replacewith no validation. Latent today (registry templates keep placeholders in path position), but if a template placed a placeholder in the authority, a crafted identifier could steer the resolved host/scheme (open redirect).Fix
_substitute_url_templatenow returnsOptional[str]: it re-parses the assembled URL and returnsNoneunless the scheme + netloc match the template's literal authority (read by neutralizing{placeholders}). The three callers (#subpath,@version, cross-source) drop to a description-only result onNone.Values are kept verbatim — no
quote()encoding — so identifiers that contain reserved chars (e.g.RHSA-2024:1234) are preserved. (Same lesson as #17, where blanket encoding broke the colon case.)Tests
2 new tests: authority-injection dropped (
https://{id}.example.com/,https://{id}/path→ None) and reserved-char preservation on the same host. The 6 existing_substitute_url_templatetests still pass. Full suite: 30 passed.Generated from
PATCHES/06-resolver-url-validation.patch.md(Server-API half).🤖 Generated with Claude Code