anupamme commented on code in PR #39646:
URL: https://github.com/apache/superset/pull/39646#discussion_r3206362610
##########
superset/db_engine_specs/base.py:
##########
@@ -810,6 +811,28 @@ def get_oauth2_token(
response.raise_for_status()
return response.json()
+ @classmethod
+ def _validate_oauth2_token_uri(cls, uri: str) -> None:
+ """Validate OAuth2 token URI to prevent SSRF attacks."""
+ import ipaddress
+ import socket as _socket
+ from urllib.parse import urlparse
+
+ parsed = urlparse(uri)
+ if parsed.scheme not in ("https", "http"):
+ raise ValueError(
+ f"OAuth2 token URI must use http or https scheme, got:
{parsed.scheme!r}"
+ )
+ hostname = parsed.hostname or ""
+ try:
+ ip = ipaddress.ip_address(_socket.gethostbyname(hostname))
Review Comment:
@orbisai0security can you address code review comments?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
