Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix - Incomplete regular expression for hostnames #1993

Merged
merged 1 commit into from
Mar 16, 2022
Merged

Fix - Incomplete regular expression for hostnames #1993

merged 1 commit into from
Mar 16, 2022

Conversation

naveensrinivasan
Copy link
Contributor

Fixed the codeql issue

Sanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts.

If a regular expression implements such a check, it is easy to accidentally make the check too permissive by not escaping regular-expression meta-characters such as ..

Even if the check is not used in a security-critical context, the incomplete check may still cause undesirable behavior when it accidentally succeeds.

Related to this #1905

Description

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

  • Includes unit tests
  • Adds integration tests if needed.

See the contribution guide for more details.

Reviewer Notes

  • The code flow looks good.
  • Unit tests and or integration tests added.

@naveensrinivasan
Fix - Incomplete regular expression for hostnames
de854ab 
Fixed the codeql issue
```
Sanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts.

If a regular expression implements such a check, it is easy to accidentally make the check too permissive by not escaping regular-expression meta-characters such as ..

Even if the check is not used in a security-critical context, the incomplete check may still cause undesirable behavior when it accidentally succeeds.

```
@naveensrinivasan
Copy link
Contributor Author

@imjasonh 👀

@imjasonh
Copy link
Collaborator

Thanks!

@imjasonh imjasonh merged commit 7839799 into GoogleContainerTools:main Mar 16, 2022
@naveensrinivasan naveensrinivasan deleted the naveen/feat/fix-codeql-issue branch March 16, 2022 13:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@imjasonh imjasonh imjasonh approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@naveensrinivasan @imjasonh