-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False positive: SSRF warning on user-based input in FastAPI endpoint #17353
Comments
@github/codeql-python : Could you help out here, please? |
Resolving this issue is not a current product priority, but we acknowledge the report and will track it internally for future consideration, or if we observe repeated instances of the same problem. |
Hi @hvitved , that's good enough. I mainly wanted confirmation as to whether this was a false positive or an actual error on my part, and I have received confirmation that it is indeed a false positive (https://security.stackexchange.com/a/278538/309008). Keep up the good work with CodeQL! |
Description of the false positive
I have made attempts to validate the inputs used in the FastAPI endpoint, making sure that they are from a list of approved entries, and checking the string to make sure that only certain characters are permitted.
If this is not a false positive, advice on what I could improve would be appreciated.
Code samples or links to source code
This is a FastAPI endpoint to return specific packages from an MSYS2 repo to client PCs that cannot see the wider internet.
URL to the alert on GitHub code scanning (optional)
https:/DiamondLightSource/python-murfey/security/code-scanning/402
The text was updated successfully, but these errors were encountered: