anderson-ufrj
commited on
Commit
·
71ebb65
1
Parent(s):
e63663c
fix: validate only URL path and query, not full URL with protocol
Browse filesModified URL validation to check only the path and query string parts
of the URL, excluding the protocol and host. This prevents false
positives from the https:// protocol being matched against patterns
like "file://" that are meant to detect malicious URLs.
The security middleware now correctly distinguishes between the safe
HTTPS protocol and actual suspicious patterns in the request path.
src/api/middleware/security.py
CHANGED
|
@@ -254,13 +254,18 @@ class RequestValidator:
|
|
| 254 |
if len(url) > SecurityConfig.MAX_URL_LENGTH:
|
| 255 |
return False, "URL too long"
|
| 256 |
|
| 257 |
-
#
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 258 |
for pattern in self.suspicious_patterns:
|
| 259 |
-
if pattern.search(
|
| 260 |
return False, "Suspicious pattern in URL"
|
| 261 |
|
| 262 |
# Check for double encoding
|
| 263 |
-
if "%25" in
|
| 264 |
return False, "Double URL encoding detected"
|
| 265 |
|
| 266 |
return True, None
|
|
|
|
| 254 |
if len(url) > SecurityConfig.MAX_URL_LENGTH:
|
| 255 |
return False, "URL too long"
|
| 256 |
|
| 257 |
+
# Only check path and query for suspicious patterns, not the full URL
|
| 258 |
+
path_and_query = request.url.path
|
| 259 |
+
if request.url.query:
|
| 260 |
+
path_and_query += "?" + request.url.query
|
| 261 |
+
|
| 262 |
+
# Check for suspicious patterns in path and query only
|
| 263 |
for pattern in self.suspicious_patterns:
|
| 264 |
+
if pattern.search(path_and_query):
|
| 265 |
return False, "Suspicious pattern in URL"
|
| 266 |
|
| 267 |
# Check for double encoding
|
| 268 |
+
if "%25" in path_and_query:
|
| 269 |
return False, "Double URL encoding detected"
|
| 270 |
|
| 271 |
return True, None
|