urllib
detected BAN-B310 84 if verbose:
85 logger.debug(f"javascript url is{url}")
86 try:
87 url_result = urllib.request.urlopen(url) 88 except Exception:
89 # connection is broken
90 return 0
120 if verbose:
121 logger.debug(f"API url is{url}")
122 try:
123 url_result = urllib.request.urlopen(url=url, timeout=2) # 2 second time-out124 except Exception:
125 # not good
126 if verbose:
67 # go to fast.com to get the javascript file
68 url = "https://fast.com/"
69 try:
70 url_result = urllib.request.urlopen(url) 71 except Exception:
72 logger.exception("No connection at all")
73 # no connection at all?
26 and keep writing the number of bytes retrieved into result[index]
27 """
28 try:
29 req = urllib.request.urlopen(url) 30 except urllib.error.URLError:
31 result[index] = 0
32 return
urllib
not only opens http://
or https://
URLs, but also ftp://
and file://
.
With this, it might be possible to open local files on the executing machine which might be a security risk if the URL to open can be manipulated by an external user.
The urllib.request
module defines functions and classes which help in opening URLs. urllib.request.open
can open ftp://
and file://
URLs. This is usually not intended and makes the application vulnerable to Server Side Request Forgery attack.
Performing requests from user-provided data could allow attackers to make requests on the internal network or change, retrieve or delete sensitive information. You are yourself responsible for validating the URL before opening it with urllib
.
It is recommended to validate the user-provided data, such as the URL and headers used to construct the request.
Since this is an audit issue, some occurrences may be harmless here. The goal is to bring the issue in attention. Please make sure that the url is trusted. If the occurrences doesn't seem to be valid, please feel free to ignore them.
req = urllib.Request.request(url)
resp = urllib.request.urlopen(req)
# Validate URL before opening it
if url.lower().startswith('http'):
req = urllib.Request.request(url)
else:
raise ValueError from None
with urllib.request.urlopen(req) as resp:
[...]
## References:
- OWASP Top 10 2021 Category A10 - [Server Side Request Forgery](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/)
- [CWE-918](https://cwe.mitre.org/data/definitions/918.html) - Server-Side Request Forgery (SSRF)