Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix code scanning alert no. 19: URL redirection from remote source #521

Merged
merged 1 commit into from
Oct 24, 2024

Conversation

TreyWW
Copy link
Owner

@TreyWW TreyWW commented Oct 19, 2024

Fixes https://github.com/TreyWW/MyFinances/security/code-scanning/19

To fix the problem, we need to ensure that the NEXT parameter is validated before being used in a redirect. We can use Django's url_has_allowed_host_and_scheme function to check that the URL is safe to redirect to. This function ensures that the URL does not contain an explicit host name and is within the allowed hosts.

  1. Import the url_has_allowed_host_and_scheme function from django.utils.http.
  2. Use this function to validate the NEXT parameter before redirecting.
  3. If the NEXT parameter is not valid, redirect to a safe default URL, such as the dashboard.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@TreyWW TreyWW marked this pull request as ready for review October 19, 2024 20:12
Copy link
Contributor

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails

Scanned Manifest Files

@TreyWW TreyWW merged commit 457bb24 into main Oct 24, 2024
9 checks passed
@TreyWW TreyWW deleted the alert-autofix-19 branch October 24, 2024 11:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant