From f122ceb0509ea305e5cccd9baff0943753ff0203 Mon Sep 17 00:00:00 2001 From: FailSafe Researcher Date: Tue, 9 Jun 2026 20:22:35 -0700 Subject: [PATCH] fix: validate host_url to prevent Host-header injection XSS Signed-off-by: FailSafe Researcher --- python_a2a/server/http.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/python_a2a/server/http.py b/python_a2a/server/http.py index 24644df..fe24b0a 100644 --- a/python_a2a/server/http.py +++ b/python_a2a/server/http.py @@ -1,3 +1,4 @@ +import re """ HTTP server implementation for the A2A protocol. """ @@ -108,10 +109,14 @@ def enhanced_a2a_index(): }) # Otherwise serve HTML by default + # Validate host_url to prevent Host-header injection + host_url = request.host_url + if not re.match(r'^https?://[a-zA-Z0-9._-]+(:\d+)?/', host_url): + host_url = request.scheme + "://" + request.host.split(":")[0] response = make_response(render_template_string( AGENT_INDEX_HTML, agent=agent, - request=request + host_url=host_url )) response.headers['Content-Type'] = 'text/html; charset=utf-8' return response