Skip to content

Fix token required check for api.tilebox.com #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lukasbindreiter merged 4 commits into from
Jun 10, 2025
Merged

Fix token required check for api.tilebox.com #1

lukasbindreiter merged 4 commits into from
Jun 10, 2025

Conversation

@snamber
Copy link
Contributor

@snamber snamber commented Jun 6, 2025

Potential fix for https://github.com/tilebox/tilebox-python/security/code-scanning/1

To fix the issue, the URL should be parsed using Python's urllib.parse module, and the hostname should be explicitly checked to ensure it matches api.tilebox.com. This approach avoids the pitfalls of substring checks and ensures that the URL's structure is properly validated.

Steps to implement the fix:

  1. Import urlparse from urllib.parse.
  2. Parse the URL using urlparse(url) to extract its hostname.
  3. Replace the substring check "api.tilebox.com" in url with a hostname check parsed_url.hostname == "api.tilebox.com".

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

snamber and others added 2 commits June 6, 2025 14:39
@snamber @github-advanced-security
Potential fix for code scanning alert no. 1: Incomplete URL substring…
fec218d 
… sanitization

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@lukasbindreiter
Fix token required check for api.tilebox.com
695fc46
@lukasbindreiter
Copy link
Contributor

lukasbindreiter commented Jun 10, 2025

@snamber Hmm the AI wasn't very successful here:

urlparse(url) doesn't work very well for grpc urls, which also can contain no schema, e.g.

image

That's why we have our own parse_channel_info helper - which I updated now a bit to also be useful here.

@lukasbindreiter lukasbindreiter changed the title Potential fix for code scanning alert no. 1: Incomplete URL substring sanitization Fix token required check for api.tilebox.com Jun 10, 2025
@lukasbindreiter lukasbindreiter marked this pull request as ready for review June 10, 2025 09:23
@lukasbindreiter lukasbindreiter merged commit b1c54a3 into main Jun 10, 2025
8 checks passed
@lukasbindreiter lukasbindreiter deleted the stefan/tbx-2471-incomplete-url-substring-sanitization-in-tilebox-python branch June 10, 2025 09:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@snamber @lukasbindreiter