I'm writing a function that takes a HTTP request from pip for package names, generating a response via FastAPI in the process. However, GitHub CodeQL does not like it, and warns that it is at risk of server-side request forgery.
I have already made a couple of attempts at doing so, but GitHub CodeQL has not accepted any of them so far. How can I rewrite the following to satisfy GitHub CodeQL's variable validation requirements?
The relevant block of code:
import requestsfrom fastapi import APIRouter, HTTPException, Request, Responsepypi = APIRouter(prefix="/pypi", tags=["bootstrap"])@pypi.get("/{package}/", response_class=Response)def get_pypi_package_downloads_list(package: str) -> Response:""" Obtain list of all package downloads from PyPI via the simple API (PEP 503)."""""" I have made multiple attempts at writing a conditional to validate this variable , but none have worked so far""" # Attempt 1 # Check that it's a PyPI URL url = f"https://pypi.org/simple/{package}" if "pypi" in url: full_path_response = requests.get(url) else: raise ValueError("This is not a valid package") # Attempt 2 # Validate that package name is alphanumeric (allow _ and -) if package.replace("_", "").replace("-", "").isalnum(): url = f"https://pypi.org/simple/{package}" full_path_response = requests.get(url) else: raise ValueError("This is not a valid package") # Attempt 3 # Check that it's a valid connection with requests.get("https://pypi.org/simple/{package}") as http_response: if http_response.status_code == 200: full_path_response = http_response else: raise ValueError("This is not a valid package") # Attempt 4 # Tried using RegEx matching to validate package name if re.match(r"^[\w\d_-]+$", package): full_path_response = requests.get(f"https://pypi.org/simple/{package}") else: raise ValueError("This is not a valid package")Thanks!