Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

url(public = True) is broken #309

Closed
haavardw opened this issue Oct 17, 2023 · 4 comments · Fixed by #356
Closed

url(public = True) is broken #309

haavardw opened this issue Oct 17, 2023 · 4 comments · Fixed by #356
Labels
enhancement Issue/PR: A new feature outdated Issue/PR: Open for more than 3 months

Comments

@haavardw
Copy link

Version 0.10.3 added the public argument to validators.url which would return 'False' for obvious local urls. This was very useful, but the functionality seems to be broken, maybe since c43826c . Even the tests are removed. Nothing is mentioned in the changelog, and I find no obvious workarounds...
sparkiegeek added a commit to sparkiegeek/canonicalwebteam.discourse that referenced this issue Oct 23, 2023
@sparkiegeek
fix(base_parser): validators.url no longer has a public=True kwarg
576b689 
See python-validators/validators#309
@yozachar
Copy link
Collaborator

Hi @haavardw, can you please provide a couple of use cases to consider?

@yozachar yozachar added the waiting Issue/PR: Wating for reply label Oct 26, 2023
@haavardw
Copy link
Author

We have a system where you can submit a URL and get the web-site analyzed and scanned for phishing, malware etc. The argument public=True is used to prevent scanning of local resources, e.g. file:///etc/passwd or local cloud resources, which would open up for an attack on our servers. We are currently using 0.18.2 but would like to upgrade.

@yozachar yozachar added enhancement Issue/PR: A new feature and removed waiting Issue/PR: Wating for reply labels Oct 31, 2023
@yozachar yozachar mentioned this issue Nov 6, 2023
Closed
@stratigos
Copy link

stratigos commented Jan 12, 2024
edited
Loading

This article from Snyk is also apparently SEO optimized to appear for search results regarding python and URL validation: https://snyk.io/blog/secure-python-url-validation/

The code presented is essentially flawed as validators believes the local URL is valid, and only fails due to an invalid kwarg, public.

validation = validators.url("https://10.0.0.1", public=True)

if validation:

print("URL is valid")

else:

print("URL is invalid")

I read the source, and a comment in the source code suggests that public is a parameter, though the arg does not appear in the code.

I came to GitHub to search for a commit or perhaps issues that describe when/why public was removed.

Just mentioning this in case others find themselves here for the same reasons.

@haavardw you may be able to limit protocols or first check the url uses http | https explicitly before validation. Additionally it appears like file:///etc/passwd would be seen as an invalid url by validators.

@yozachar yozachar added the outdated Issue/PR: Open for more than 3 months label Jan 30, 2024
@yozachar
Copy link
Collaborator

precedes #325

nicolafio added a commit to nicolafio/drill-sergeant that referenced this issue Mar 27, 2024
@nicolafio
Fix URL validation
6e745ee 
The `public` parameter looks to be broken ¹.

¹ python-validators/validators#309
@yozachar yozachar mentioned this issue Apr 3, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Issue/PR: A new feature outdated Issue/PR: Open for more than 3 months
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: adds private parameter to ip_address, hostname & url yozachar/pyvalidators
3 participants
@haavardw @stratigos @yozachar