Python: Fix false positive in 'Incomplete URL substring sanitization' query.

2026-05-02 20:25:13 +02:00 · 2019-04-18 12:42:27 +01:00
parent c674f54129
commit 28799441af
2 changed files with 13 additions and 2 deletions
--- a/python/ql/test/query-tests/Security/CWE-020/urltest.py
+++ b/python/ql/test/query-tests/Security/CWE-020/urltest.py
@@ -39,3 +39,12 @@ def safe2(request):
    if host and host.endswith(".example.com"):
        return redirect(target)

+
+@app.route('/some/path/good3')
+def safe3(request):
+    target = request.args.get('target', '')
+    target = urlparse(target)
+    #Start url with https:// and ends with a / so must match the correct domain.
+    if target and target.startswith("https://example.com/"):
+        return redirect(target)
+