[Security] Centralize outbound URL policy for core fetches and health checks #239

Closed
opened 2026-07-11 12:51:04 +02:00 by zemion · 1 comment
Owner

Bandit/Semgrep flag dynamic URL fetches in core. Several call sites already restrict to HTTP(S), but there is no common outbound URL policy for scheme, host allow/deny, private networks, redirects, or timeout behavior.

Classification: structural security work.

Report evidence:

  • govoplan-core/src/govoplan_core/core/configuration_packages.py:693, :717.
  • govoplan-core/src/govoplan_core/core/module_license.py:264.
  • govoplan-core/src/govoplan_core/core/module_package_catalog.py:357, :424.
  • govoplan-core/src/govoplan_core/core/module_installer.py:2694 health URL polling.
  • govoplan-core/scripts/gitea_common.py:113, scripts/release-doctor.py:1123.

Suggested next steps:

  • Add a shared URL validation/fetch helper with HTTP(S)-only enforcement, optional host allowlists, private-network policy, redirect policy, and consistent errors.
  • Use it for catalogs, licenses, configuration packages, health checks, and operator scripts where applicable.
  • Then add narrow scanner annotations only at validated call sites.

Baseline report directory: audit-reports/govoplan-full-20260711-1238

<!-- codex-audit-full-2026-07-11:core-url-egress --> Bandit/Semgrep flag dynamic URL fetches in core. Several call sites already restrict to HTTP(S), but there is no common outbound URL policy for scheme, host allow/deny, private networks, redirects, or timeout behavior. Classification: **structural security work**. Report evidence: - `govoplan-core/src/govoplan_core/core/configuration_packages.py:693`, `:717`. - `govoplan-core/src/govoplan_core/core/module_license.py:264`. - `govoplan-core/src/govoplan_core/core/module_package_catalog.py:357`, `:424`. - `govoplan-core/src/govoplan_core/core/module_installer.py:2694` health URL polling. - `govoplan-core/scripts/gitea_common.py:113`, `scripts/release-doctor.py:1123`. Suggested next steps: - Add a shared URL validation/fetch helper with HTTP(S)-only enforcement, optional host allowlists, private-network policy, redirect policy, and consistent errors. - Use it for catalogs, licenses, configuration packages, health checks, and operator scripts where applicable. - Then add narrow scanner annotations only at validated call sites. Baseline report directory: `audit-reports/govoplan-full-20260711-1238`
zemion added the
type
bug
priority
p1
status
ready
module/core
codex/ready
labels 2026-07-11 12:51:04 +02:00
zemion added the
area/security
audit/structural
source/security-audit
labels 2026-07-11 16:04:42 +02:00
Author
Owner

Codex State: done

Summary

  • Strengthened core HTTP URL checks to require absolute HTTP(S), a hostname, and no embedded credentials.
  • Applied the guard to module package catalog fetches, configuration package catalog/key fetches, license key fetches, and module installer health checks.
  • Added narrow scanner suppressions only at validated urlopen calls.

Changed Files

  • src/govoplan_core/core/configuration_packages.py
  • src/govoplan_core/core/module_installer.py
  • src/govoplan_core/core/module_license.py
  • src/govoplan_core/core/module_package_catalog.py

Verification

  • python3 -m py_compile for all changed core files.

Local fix is ready to push.

## Codex State: done ### Summary - Strengthened core HTTP URL checks to require absolute HTTP(S), a hostname, and no embedded credentials. - Applied the guard to module package catalog fetches, configuration package catalog/key fetches, license key fetches, and module installer health checks. - Added narrow scanner suppressions only at validated `urlopen` calls. ### Changed Files - `src/govoplan_core/core/configuration_packages.py` - `src/govoplan_core/core/module_installer.py` - `src/govoplan_core/core/module_license.py` - `src/govoplan_core/core/module_package_catalog.py` ### Verification - `python3 -m py_compile` for all changed core files. Local fix is ready to push.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: add-ideas/govoplan-core#239
No description provided.