feat: implement paypal webhook refunds #309
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| except Exception as e: # pylint: disable=broad-exception-caught | ||
| if not self._is_valid_url(url): | ||
| raise ValueError("Invalid or untrusted URL provided") from e | ||
| r = requests.get(url) # pylint: disable=missing-timeout |
Check failure
Code scanning / CodeQL
Full server-side request forgery
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 5 days ago
To fix the problem, we need to ensure that the URL used in the requests.get call is fully validated and cannot be manipulated by an attacker. One way to achieve this is to maintain a list of authorized URLs on the server and choose from that list based on the input provided. Alternatively, we can enhance the validation to ensure that the URL is safe.
In this case, we will enhance the validation by ensuring that the URL path is also checked to prevent any potential SSRF attacks. We will modify the _is_valid_url method to include this additional validation.
| @@ -61,2 +61,4 @@ | ||
| return False | ||
| if not parsed_url.path.startswith('/'): | ||
| return False | ||
| return True |
Coverage report
Click to see where and how coverage changed
This report was generated by python-coverage-comment-action |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
mubbsharanwar
force-pushed
the
manwar/SONIC-784
branch
from
4d53c9b to
58c5896
Compare
handle paypal payment recipt url SONIC-784
shafqatfarhan
force-pushed
the
aht007/SONIC-808-paypal-webhook-refunds
branch
from
ec251d6 to
d03d47a
Compare
|
Failing tests here are related to Paypal receipts which will be resolved in its own branch. |
Merge checklist:
Check off if complete or not applicable:
Post-merge: