andrewmusselman opened a new issue, #601: URL: https://github.com/apache/tooling-trusted-releases/issues/601
## Summary Query parameters and path segments are not URL-encoded when constructing URLs, potentially allowing URL injection attacks or broken URLs with special characters. **Note**: this is an example of a broader taint-tracking improvement needed, to be in another discussion Issue. ## ASVS Requirements - 1.2.2 - Verify that appropriate encoding is applied based on output context ## Related Audit Reports - [1.2.2.md](ASVS/reports/44ee502/L1/1.2.2.md) - URL encoding findings ## Affected Files - `atr/util.py` - URL construction utilities - `atr/get/download.py` - Download URL generation ## Current Behavior URLs are constructed using string concatenation or f-strings without proper encoding: ```python url = f"https://example.com/path/{user_input}?param={value}"; ``` ## Risk - URL injection/manipulation - Broken functionality with special characters - Open redirect vulnerabilities - Parameter pollution attacks ## Recommended Fix ```python # atr/util.py from urllib.parse import quote, urlencode, urljoin def build_url(base: str, path: str, **params) -> str: """Build a URL with proper encoding.""" # Encode path segments encoded_path = '/'.join(quote(segment, safe='') for segment in path.split('/')) # Build base URL url = urljoin(base, encoded_path) # Add query parameters with proper encoding if params: url = f"{url}?{urlencode(params)}" return url # Usage example: # Instead of: f"/download/{project}/{version}/{filename}" # Use: build_url("/download", f"{project}/{version}/{filename}") ``` ## Acceptance Criteria - [ ] URL construction utility function created - [ ] All dynamic URL construction uses proper encoding - [ ] Path segments encoded with `quote()` - [ ] Query parameters encoded with `urlencode()` - [ ] Test cases for special characters (spaces, &, =, /, etc.) - [ ] Review all f-string URL construction in codebase -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
