AI/dify
1
0
Fork 0
mirror of https://git.mirrors.martin98.com/https://github.com/langgenius/dify.git synced 2025-08-12 19:39:02 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix code scanning alert no. 111: Incomplete URL substring sanitization (#12305)

Browse Source 
Signed-off-by: -LAN- <laipz8200@outlook.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
This commit is contained in:
-LAN- 2025-01-02 16:52:43 +08:00 committed by GitHub
parent e7dffcd0f6
commit 0e6317678f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
api/services/app_dsl_service.py
View File

@ -2,6 +2,7 @@ import logging
import uuid import uuid
from enum import StrEnum from enum import StrEnum
from typing import Optional, cast from typing import Optional, cast
from urllib.parse import urlparse
from uuid import uuid4 from uuid import uuid4
import yaml # type: ignore import yaml # type: ignore
@ -113,8 +114,12 @@ class AppDslService:
) )
try: try:
max_size = 10 * 1024 * 1024 # 10MB max_size = 10 * 1024 * 1024 # 10MB
# tricky way to handle url from github to github raw url parsed_url = urlparse(yaml_url)
if yaml_url.startswith("https://github.com") and yaml_url.endswith((".yml", ".yaml")): if (
parsed_url.scheme == "https"
and parsed_url.netloc == "github.com"
and parsed_url.path.endswith((".yml", ".yaml"))
):
yaml_url = yaml_url.replace("https://github.com", "https://raw.githubusercontent.com") yaml_url = yaml_url.replace("https://github.com", "https://raw.githubusercontent.com")
yaml_url = yaml_url.replace("/blob/", "/") yaml_url = yaml_url.replace("/blob/", "/")
response = ssrf_proxy.get(yaml_url.strip(), follow_redirects=True, timeout=(10, 10)) response = ssrf_proxy.get(yaml_url.strip(), follow_redirects=True, timeout=(10, 10))