search

github / codeql

CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security
https://codeql.github.com
MIT License
7.66k stars 1.53k forks source link

False positive: SSRF warning on user-based input in FastAPI endpoint #17353

Closed tieneupin closed 2 weeks ago

tieneupin commented 2 months ago

Description of the false positive

I have made attempts to validate the inputs used in the FastAPI endpoint, making sure that they are from a list of approved entries, and checking the string to make sure that only certain characters are permitted.

If this is not a false positive, advice on what I could improve would be appreciated.

Code samples or links to source code

This is a FastAPI endpoint to return specific packages from an MSYS2 repo to client PCs that cannot see the wider internet.

import re
from urllib.parse import quote

import requests
from fastapi import APIRouter, HTTPException, Response

# Set up FastAPI router
msys2 = APIRouter(prefix="/msys2")

# List of valid inputs, used over multiple endpoints
valid_env = ("msys", "mingw")
valid_msys = ("i686", "x86_64")
valid_mingw = (
    "clang32",
    "clang64",
    "clangarm64",
    "i686",
    "mingw32",
    "mingw64",
    "sources",
    "ucrt64",
    "x86_64",
)

@msys2.get("/{environment}/{architecture}/{package}", response_class=Response)
def get_msys2_package_file(
    environment: str,
    architecture: str,
    package: str,
) -> Response:
    """
    Obtain and pass through a specific download for an MSYS2 package.
    """

    # Validate environment
    if environment not in valid_env:
        raise ValueError(f"{environment!r} is not a valid msys2 environment")

    # Validate architecture for each environment
    if environment == "msys" and architecture not in valid_msys:
        raise ValueError(f"{architecture!r} is not a valid msys architecture")
    elif environment == "mingw" and architecture not in valid_mingw:
        raise ValueError(f"{architecture!r} is not a valid mingw architecture")

    # Validate package name
    if bool(re.fullmatch(r"^[\w\s\.\-]+$", package)) is False:
        raise ValueError(f"{package!r} is not a valid package name")

    # Construct URL to main MSYS repo and get response
    package_url = f"https://repo.msys2.org/{quote(environment)}/{quote(architecture)}/{quote(package)}"
    package_file = requests.get(package_url)

    if package_file.status_code == 200:
        return Response(
            content=package_file.content,
            media_type=package_file.headers.get("Content-Type"),
            status_code=package_file.status_code,
        )
    else:
        raise HTTPException(status_code=package_file.status_code)

URL to the alert on GitHub code scanning (optional)

https://github.com/DiamondLightSource/python-murfey/security/code-scanning/402

hvitved commented 2 months ago

@github/codeql-python : Could you help out here, please?

hvitved commented 1 month ago

Resolving this issue is not a current product priority, but we acknowledge the report and will track it internally for future consideration, or if we observe repeated instances of the same problem.

tieneupin commented 1 month ago

Hi @hvitved , that's good enough. I mainly wanted confirmation as to whether this was a false positive or an actual error on my part, and I have received confirmation that it is indeed a false positive (https://security.stackexchange.com/a/278538/309008). Keep up the good work with CodeQL!

rvermeulen commented 2 weeks ago

Hi @tieneupin,

I'm closing this issue since it seems your question is answered. If further help is needed, feel free to reopen this issue.