johba/disinto
1
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions

fix: SECURITY: Unquoted curl URLs with variables in API calls (#60)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details

Browse source 
Add URL validation helper to prevent URL injection attacks in API calls.

- Added validate_url() helper in lib/env.sh to validate URL format
- Added validation to forge_api() to prevent URL injection
- Added validation to woodpecker_api() to prevent URL injection
- Added validation to ci-debug.sh api() function
- All URLs are already properly quoted with "${VAR}/..." patterns
- This adds defense-in-depth by validating URL variables before use
This commit is contained in:
Agent 2026-03-31 18:36:28 +00:00
parent 357c25c7f6
commit 318910265e
2 changed files with 71 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

5
lib/ci-debug.sh
View file

@ -17,6 +17,11 @@ REPO="${FORGE_REPO}"
API="${WOODPECKER_SERVER}/api/repos/${WOODPECKER_REPO_ID}"
api() {
# Validate API URL to prevent URL injection
if ! validate_url "$API"; then
echo "ERROR: API URL validation failed - possible URL injection attempt" >&2
return 1
fi
curl -sf -H "Authorization: Bearer ${WOODPECKER_TOKEN}" "${API}/$1"
}