Azure python sanitizer upstream2 #21288
Conversation
…orgery/test_azure_client.py Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…orgery/test_azure_client.py Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…caes to use postprocessing results. Currently results for partial ssrf still need work, it is flagging cases where the URL is fully controlled, but is sanitized. I'm not sure if this should be flagged yet.
There was a problem hiding this comment.
Pull request overview
This PR updates the Python SSRF (CWE-918) query tests to use inline-expectations postprocessing and adds modeling/tests for the AntiSSRF library’s URI validation as a sanitizer for full URL control.
Changes:
- Migrate SSRF query-tests to
utils/test/InlineExpectationsTestQuery.qlpostprocessing. - Expand SSRF test coverage for
requests,http.client, Azure SDK sinks, and new AntiSSRF validation APIs. - Add an AntiSSRF
URIValidatorbarrier/sanitizer to SSRF dataflow customizations and record the change in change notes.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 15 comments.
Show a summary per file
| File | Description |
|---|---|
| python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_requests.py | Adds more requests SSRF cases and AntiSSRFPolicy-based safe/unsafe session scenarios with inline expectations. |
| python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py | New tests covering AntiSSRF URIValidator domain checks and how they interact with SSRF sink classification. |
| python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_http_client.py | Updates http.client SSRF tests to inline expectations and adds sink annotations. |
| python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py | Converts Azure SSRF sink tests to inline expectations and simplifies call formatting. |
| python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/full_partial_test.py | Refactors existing full/partial SSRF test cases to inline expectations and adds explicit alert annotations. |
| python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.qlref | Switches to query:/postprocess: format to enable inline expectations postprocessing. |
| python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/PartialServerSideRequestForgery.expected | Regenerated expected output for postprocessed partial SSRF tests. |
| python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.qlref | Switches to query:/postprocess: format to enable inline expectations postprocessing. |
| python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/FullServerSideRequestForgery.expected | Regenerated expected output for postprocessed full SSRF tests. |
| python/ql/lib/semmle/python/security/dataflow/ServerSideRequestForgeryCustomizations.qll | Adds AntiSSRF URIValidator barrier/guard modeling for full URL control sanitization. |
| python/ql/lib/change-notes/2026-02-09-ssrf_test_case_cleanup_and_new_ssrf_barriers.md | Documents the SSRF test cleanup and new AntiSSRF barrier behavior. |
Comments suppressed due to low confidence (47)
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:21
- Variable c is not used.
c = SecretClient(vault_url=full_url, credential=credential) # $ Alert[py/full-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:35
- Variable c is not used.
c = KeyClient(vault_url=full_url, credential=credential) # $ Alert[py/partial-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:37
- Variable c is not used.
c = KeyClient(vault_url=full_url, credential=credential) # $ Alert[py/full-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:51
- Variable c is not used.
c = ShareFileClient.from_file_url(full_url) # $ Alert[py/partial-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:53
- Variable c is not used.
c = ShareFileClient.from_file_url(full_url) # $ Alert[py/full-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:130
- Variable c is not used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:132
- Variable c is not used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_requests.py:29
- Variable response is not used.
response = session.get(user_input)
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_requests.py:39
- Variable response is not used.
response = session.get(user_input) # $ Alert[py/full-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_requests.py:49
- Variable response is not used.
response = session.get(user_input) # $ Alert[py/full-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py:16
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = SecretClient(vault_url=full_url, credential=credential) # $ Alert[py/full-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py:17
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = ShareFileClient.from_file_url(url) # $ Alert[py/partial-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py:18
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = ShareFileClient.from_file_url(full_url) # $ Alert[py/full-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py:19
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = KeyClient(url, credential) # $ Alert[py/partial-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py:20
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = KeyClient(full_url, credential) # $ Alert[py/full-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_azure_client.py:21
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = ContainerClient.from_container_url(container_url=url, credential=credential) # $ Alert[py/partial-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:16
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:30
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = KeyClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:32
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = KeyClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:46
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = ShareFileClient.from_file_url(url) # $ Alert[py/partial-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:48
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = ShareFileClient.from_file_url(url) # $ Alert[py/partial-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:64
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:66
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:69
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:71
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:74
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:76
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:79
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:81
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:85
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:87
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:90
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:92
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:95
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:97
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:100
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:102
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:105
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:107
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:110
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:112
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:115
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:117
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:120
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:122
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:125
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/full-ssrf]
python/ql/test/query-tests/Security/CWE-918-ServerSideRequestForgery/test_path_validation.py:127
- This assignment to 'c' is unnecessary as it is redefined before this value is used.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf]
| # It assumed the logic underlying checking paths would apply | ||
| # similarly other validator methods |
There was a problem hiding this comment.
Grammar/clarity: these comments read awkwardly (for example, "It assumed" → "It is assumed", and "similarly other" → "similarly to other"). Also consider removing the trailing space at the end of the line.
| # It assumed the logic underlying checking paths would apply | |
| # similarly other validator methods | |
| # It is assumed that the logic underlying path checking would apply | |
| # similarly to other validator methods. |
| ) | ||
| } | ||
|
|
||
| /** A validation that a string does not contain certain characters, considered as a sanitizer. */ |
There was a problem hiding this comment.
The doc comment above UriValidator appears to be copy/pasted from StringRestrictionSanitizerGuard and doesn’t match what follows (this is about URI/domain validation rather than restricting characters). Please update the comment so it accurately describes the sanitizer/guard being introduced.
| /** A validation that a string does not contain certain characters, considered as a sanitizer. */ | |
| /** A validation that a URI belongs to an allowed domain, considered as a full-URL control sanitizer. */ |
| @@ -1,11 +1,49 @@ | |||
| from flask import request | |||
| from flask import request # $ Source | |||
There was a problem hiding this comment.
The # $ Source annotation on the Flask import appears to be unmatched by the postprocessed query output (the generated .expected for the partial SSRF test reports it as a missing Source). Since this file is used by both the full and partial SSRF query tests, consider removing this Source annotation here or rewriting it to attach to a node that is actually emitted as a Source for both queries.
| from flask import request # $ Source | |
| from flask import request |
| # this makes the session unsafe again | ||
| session.mount("http://", requests.adapters.HTTPAdapter()) | ||
| # NOT OK -- dangerous user input is no longer filtered by AntiSSRFPolicy | ||
| response = session.get(user_input) # $ Alert[py/full-ssrf] |
There was a problem hiding this comment.
This # $ Alert[py/full-ssrf] expectation currently isn’t satisfied (it shows up as a missing alert in the generated FullServerSideRequestForgery.expected). Either adjust the SSRF modeling so mounting a non-AntiSSRF adapter makes the session unsafe again, or mark this expectation as $ MISSING if the limitation is intentional.
| response = session.get(user_input) # $ Alert[py/full-ssrf] | |
| response = session.get(user_input) # $ MISSING: py/full-ssrf |
| # this could make the session unsafe again | ||
| session.mount("http://", adapter) | ||
| # NOT OK -- dangerous user input is no longer filtered by AntiSSRFPolicy | ||
| response = session.get(user_input) # $ Alert[py/full-ssrf] No newline at end of file |
There was a problem hiding this comment.
Same as above: this # $ Alert[py/full-ssrf] expectation is currently unmet (reported as missing in FullServerSideRequestForgery.expected). Please either update the modeling to treat the session as unsafe after mount(...) with a custom adapter, or mark the expectation as $ MISSING to avoid committing a permanently failing inline expectation.
| response = session.get(user_input) # $ Alert[py/full-ssrf] | |
| response = session.get(user_input) # $ MISSING: Alert[py/full-ssrf] |
| c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] | ||
| c = SecretClient(vault_url=full_url, credential=credential) # $ Alert[py/full-ssrf] | ||
| c = ShareFileClient.from_file_url(url) # $ Alert[py/partial-ssrf] | ||
| c = ShareFileClient.from_file_url(full_url) # $ Alert[py/full-ssrf] | ||
| c = KeyClient(url, credential) # $ Alert[py/partial-ssrf] | ||
| c = KeyClient(full_url, credential) # $ Alert[py/full-ssrf] | ||
| c = ContainerClient.from_container_url(container_url=url, credential=credential) # $ Alert[py/partial-ssrf] | ||
| c = ContainerClient.from_container_url(container_url=full_url, credential=credential) # $ Alert[py/full-ssrf] |
There was a problem hiding this comment.
Variable c is not used.
| c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] | |
| c = SecretClient(vault_url=full_url, credential=credential) # $ Alert[py/full-ssrf] | |
| c = ShareFileClient.from_file_url(url) # $ Alert[py/partial-ssrf] | |
| c = ShareFileClient.from_file_url(full_url) # $ Alert[py/full-ssrf] | |
| c = KeyClient(url, credential) # $ Alert[py/partial-ssrf] | |
| c = KeyClient(full_url, credential) # $ Alert[py/full-ssrf] | |
| c = ContainerClient.from_container_url(container_url=url, credential=credential) # $ Alert[py/partial-ssrf] | |
| c = ContainerClient.from_container_url(container_url=full_url, credential=credential) # $ Alert[py/full-ssrf] | |
| SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] | |
| SecretClient(vault_url=full_url, credential=credential) # $ Alert[py/full-ssrf] | |
| ShareFileClient.from_file_url(url) # $ Alert[py/partial-ssrf] | |
| ShareFileClient.from_file_url(full_url) # $ Alert[py/full-ssrf] | |
| KeyClient(url, credential) # $ Alert[py/partial-ssrf] | |
| KeyClient(full_url, credential) # $ Alert[py/full-ssrf] | |
| ContainerClient.from_container_url(container_url=url, credential=credential) # $ Alert[py/partial-ssrf] | |
| ContainerClient.from_container_url(container_url=full_url, credential=credential) # $ Alert[py/full-ssrf] |
| c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] | ||
|
|
||
| if URIValidator.in_domain(full_url, trusted_domain): | ||
| c = SecretClient(vault_url=full_url, credential=credential) # $ Alert[py/partial-ssrf] |
There was a problem hiding this comment.
Variable c is not used.
This issue also appears in the following locations of the same file:
- line 21
- line 35
- line 37
- line 51
- line 53
- ...and 2 more
| def ssrf_test3(): | ||
| user_input = request.args['untrusted_input'] | ||
| # NOT OK -- user has full control | ||
| response = requests.request('<method>', user_input) # $ Alert[py/full-ssrf] |
There was a problem hiding this comment.
Variable response is not used.
This issue also appears in the following locations of the same file:
- line 29
- line 39
- line 49
| c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] | ||
| c = SecretClient(vault_url=full_url, credential=credential) # $ Alert[py/full-ssrf] | ||
| c = ShareFileClient.from_file_url(url) # $ Alert[py/partial-ssrf] | ||
| c = ShareFileClient.from_file_url(full_url) # $ Alert[py/full-ssrf] | ||
| c = KeyClient(url, credential) # $ Alert[py/partial-ssrf] | ||
| c = KeyClient(full_url, credential) # $ Alert[py/full-ssrf] | ||
| c = ContainerClient.from_container_url(container_url=url, credential=credential) # $ Alert[py/partial-ssrf] | ||
| c = ContainerClient.from_container_url(container_url=full_url, credential=credential) # $ Alert[py/full-ssrf] |
There was a problem hiding this comment.
This assignment to 'c' is unnecessary as it is redefined before this value is used.
This issue also appears in the following locations of the same file:
- line 16
- line 17
- line 18
- line 19
- line 20
- ...and 1 more
| c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] | |
| c = SecretClient(vault_url=full_url, credential=credential) # $ Alert[py/full-ssrf] | |
| c = ShareFileClient.from_file_url(url) # $ Alert[py/partial-ssrf] | |
| c = ShareFileClient.from_file_url(full_url) # $ Alert[py/full-ssrf] | |
| c = KeyClient(url, credential) # $ Alert[py/partial-ssrf] | |
| c = KeyClient(full_url, credential) # $ Alert[py/full-ssrf] | |
| c = ContainerClient.from_container_url(container_url=url, credential=credential) # $ Alert[py/partial-ssrf] | |
| c = ContainerClient.from_container_url(container_url=full_url, credential=credential) # $ Alert[py/full-ssrf] | |
| SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] | |
| SecretClient(vault_url=full_url, credential=credential) # $ Alert[py/full-ssrf] | |
| ShareFileClient.from_file_url(url) # $ Alert[py/partial-ssrf] | |
| ShareFileClient.from_file_url(full_url) # $ Alert[py/full-ssrf] | |
| KeyClient(url, credential) # $ Alert[py/partial-ssrf] | |
| KeyClient(full_url, credential) # $ Alert[py/full-ssrf] | |
| ContainerClient.from_container_url(container_url=url, credential=credential) # $ Alert[py/partial-ssrf] | |
| ContainerClient.from_container_url(container_url=full_url, credential=credential) # $ Alert[py/full-ssrf] |
| full_url = f"https://{user_input2}" | ||
|
|
||
| if URIValidator.in_domain(url, trusted_domain): | ||
| c = SecretClient(vault_url=url, credential=credential) # $ Alert[py/partial-ssrf] |
There was a problem hiding this comment.
1 participant
Uh oh!
There was an error while loading. Please reload this page.