Skip to content

Commit

Permalink
url.startswith("https://prefix") -> url.startswith("https://prefix/")
Browse files Browse the repository at this point in the history
  • Loading branch information
bcaller committed Aug 23, 2023
1 parent d2f45fc commit aaa64d0
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 0 deletions.
17 changes: 17 additions & 0 deletions assets/semgrep_rules/services/starts-with-partial-host-py.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# ruleid: starts-with-partial-host-py
my_urI[0].startswith("https://x.y")

# ruleid: starts-with-partial-host-py
request.url.startswith('https://example.com')

# ruleid: starts-with-partial-host-py
url.startswith('http://127.0.0.1:')

# ok: starts-with-partial-host-py
url.startswith("https://ba.na/x")

# ok: starts-with-partial-host-py
url.startswith("https://")

# ok: starts-with-partial-host-py
url.startswith("xyz://abc/https://def")
20 changes: 20 additions & 0 deletions assets/semgrep_rules/services/starts-with-partial-host-py.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
rules:
- id: starts-with-partial-host-py
metadata:
author: Ben Caller
confidence: LOW
source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/services/starts-with-partial-host-py.yaml
patterns:
- pattern: $URL.startswith("$PREFIX")
- metavariable-regex:
metavariable: $PREFIX
regex: (?i)^https?://[^/]+$
- metavariable-regex:
# Avoid false positives where we actually have an origin or hostname
metavariable: $URL
regex: (?i).*ur[li].*
message: |
Add a forward-slash at the end to prevent matching `$PREFIX.e.vil` or `$PREFIX@e.vil`.
Even better, properly parse the URL and match a list of origins/hosts.
languages: [python]
severity: WARNING

0 comments on commit aaa64d0

Please sign in to comment.