Harden audit tooling and release helpers
This commit is contained in:
@@ -31,7 +31,7 @@ class RepoTarget:
|
||||
|
||||
@property
|
||||
def api_base(self) -> str:
|
||||
return f"{self.base_url.rstrip('/')}/api/v1"
|
||||
return f"{validated_http_base_url(self.base_url)}/api/v1"
|
||||
|
||||
|
||||
def repo_root(start: pathlib.Path) -> pathlib.Path:
|
||||
@@ -80,6 +80,15 @@ def quote_path(value: str) -> str:
|
||||
return urllib.parse.quote(value, safe="")
|
||||
|
||||
|
||||
def validated_http_base_url(value: str) -> str:
|
||||
parsed = urllib.parse.urlparse(value.rstrip("/"))
|
||||
if parsed.scheme not in {"http", "https"} or not parsed.netloc:
|
||||
raise GiteaError("Gitea URL must use http:// or https:// with a hostname.")
|
||||
if parsed.username or parsed.password:
|
||||
raise GiteaError("Gitea URL must not include embedded credentials.")
|
||||
return urllib.parse.urlunparse((parsed.scheme, parsed.netloc, parsed.path.rstrip("/"), "", "", ""))
|
||||
|
||||
|
||||
class GiteaClient:
|
||||
def __init__(self, target: RepoTarget, token: str | None) -> None:
|
||||
self.target = target
|
||||
@@ -110,7 +119,7 @@ class GiteaClient:
|
||||
|
||||
request = urllib.request.Request(url, data=data, headers=headers, method=method)
|
||||
try:
|
||||
with urllib.request.urlopen(request, timeout=30) as response:
|
||||
with urllib.request.urlopen(request, timeout=30) as response: # noqa: S310 - validated Gitea http(s) API URL. # nosemgrep: python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected
|
||||
payload = response.read().decode("utf-8")
|
||||
if not payload:
|
||||
return None
|
||||
|
||||
Reference in New Issue
Block a user