From f335e3524a2961eb1c14585b7521b941879e50d7 Mon Sep 17 00:00:00 2001 From: seonghobae <8172694+seonghobae@users.noreply.github.com> Date: Fri, 3 Jul 2026 15:25:51 +0000 Subject: [PATCH] =?UTF-8?q?=EB=B3=B4=EC=95=88:=20GitHub=20API=20=ED=81=B4?= =?UTF-8?q?=EB=9D=BC=EC=9D=B4=EC=96=B8=ED=8A=B8=20SSRF=20=EC=B7=A8?= =?UTF-8?q?=EC=95=BD=EC=A0=90=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- scripts/ci/collect_org_security_failures.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/ci/collect_org_security_failures.py b/scripts/ci/collect_org_security_failures.py index c966b56..0e66e81 100644 --- a/scripts/ci/collect_org_security_failures.py +++ b/scripts/ci/collect_org_security_failures.py @@ -69,6 +69,10 @@ class GitHub: def __init__(self, token: str, api: str = API): self.token = token self.api = api.rstrip("/") + # Security concern: Prevent Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI) + # by ensuring the API base URL only uses secure, safe HTTP schemes before opening connections. + if not self.api.startswith(("http://", "https://")): + raise ValueError("API URL must start with http:// or https://") def request(self, method: str, path: str, data: dict[str, Any] | None = None, params: dict[str, Any] | None = None) -> Any: query = f"?{urllib.parse.urlencode(params)}" if params else ""