Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added validation for URLs which used as remote data source #4387

Merged
merged 2 commits into from
Feb 28, 2022

Conversation

azhavoro
Copy link
Contributor

Motivation and context

How has this been tested?

Checklist

License

  • I submit my code changes under the same MIT License that covers the project.
    Feel free to contact the maintainers if that's a concern.
  • I have updated the license header for each file (see an example below)
# Copyright (C) 2022 Intel Corporation
#
# SPDX-License-Identifier: MIT

@azhavoro azhavoro requested a review from nmanovic as a code owner February 25, 2022 09:49
@@ -203,13 +206,53 @@ def _validate_manifest(manifests, root_dir):
raise Exception('Invalid manifest was uploaded')
return None

def _validate_url(url):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@azhavoro , could you please add some comments? Why do you think it is the proper way to verify remote urls? Did you follow an article?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Main idea is allow IPs only from public networks, there are many articles about SSRF mitigation, i.e. https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html

Copy link
Contributor

@nmanovic nmanovic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nmanovic nmanovic merged commit 6fad176 into develop Feb 28, 2022
@nmanovic nmanovic deleted the az/remote_source_fix branch February 28, 2022 06:52
@nmanovic nmanovic mentioned this pull request Mar 4, 2022
7 tasks
mikhail-treskin pushed a commit to retailnext/cvat that referenced this pull request Jun 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants