[Snyk] Investigate and resolve possible SSRF vulnerabilities

fecgov / fecfile-web-api

Back-end API for FECfile application

Other

8 stars 2 forks source link

[Snyk] Investigate and resolve possible SSRF vulnerabilities #1169

Open exalate-issue-sync[bot] opened 3 weeks ago

exalate-issue-sync[bot] commented 3 weeks ago

Snyk has identified two possible “Server-Side Request Forgery” vulnerabilities. Both are found in contacts/views.py. We should investigate and resolve these potential issues.

QA Notes

No user-facing changes. Unit tests should pass as normal.

DEV Notes

These warnings are for the {{candidate()}} and {{committee()}} methods in {{fecfiler/contacts/views.py}}

Design

null

See full ticket and images here: FECFILE-1752

exalate-issue-sync[bot] commented 1 week ago

Todd Lees commented: passes cr moving to qa

exalate-issue-sync[bot] commented 1 week ago

Todd Lees commented: [https://app.circleci.com/pipelines/github/fecgov/fecfile-web-api/4583/workflows/3936c9dd-5922-4c59-a4b8-c00b20ca8c4d/jobs/13190|https://app.circleci.com/pipelines/github/fecgov/fecfile-web-api/4583/workflows/3936c9dd-5922-4c59-a4b8-c00b20ca8c4d/jobs/13190]

!image-20241119-135824.png|width=957,height=612,alt="image-20241119-135824.png"!

exalate-issue-sync[bot] commented 1 week ago

Shelly Wise commented: QA review verified tests passing for this ticket per DEV.

!image-20241119-140405.png|width=936,height=574,alt="image-20241119-140405.png"!

QA Review Completed. Moved to Stage Ready.