Skip to content
This repository was archived by the owner on Dec 2, 2025. It is now read-only.

fix: use wildcard for github domain validation #62

Merged
lpbedard merged 4 commits into from
Jun 12, 2025
Merged

fix: use wildcard for github domain validation #62

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
de313cc
fix: use wildcard for github domain validation
lpbedard Jun 12, 2025
7c1b7a2
fix: adding more tests
lpbedard Jun 12, 2025
6d53e26
fix: fmt
lpbedard Jun 12, 2025
3baf645
fix: Extract domain in its own method
lpbedard Jun 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 6 additions & 4 deletions github/Requester.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1218,19 +1218,21 @@ def __recordRequestTime(self, verb: str) -> None:
# Updates self.__last_requests with current timestamp for given verb
self.__last_requests[verb] = datetime.now(timezone.utc).timestamp()

def __extractDomainFromHostname(self, hostname: str) -> str:
# Extracts the domain from a hostname
return ".".join(hostname.split(".")[-2:])

def __makeAbsoluteUrl(self, url: str) -> str:
# URLs generated locally will be relative to __base_url
# URLs returned from the server will start with __base_url
if url.startswith("/"):
url = f"{self.__prefix}{url}"
else:
o = urllib.parse.urlparse(url)
assert o.hostname in [
assert self.__extractDomainFromHostname(o.hostname) in [
self.__hostname,
"uploads.github.com",
"status.github.com",
"github.com",
"objects.githubusercontent.com",
"githubusercontent.com",
], o.hostname
assert o.path.startswith((self.__prefix, self.__graphql_prefix, "/api/", "/login/oauth")), o.path
assert o.port == self.__port, o.port
Expand Down
33 changes: 33 additions & 0 deletions tests/Requester.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -263,6 +263,39 @@ def testBaseUrlPrefixRedirection(self):
"Following Github server redirection from /api/v3/repos/PyGithub/PyGithub to /repos/PyGithub/PyGithub"
)

def testMakeAbsoluteUrl(self):
class TestAuth(github.Auth.AppAuth):
pass

# create a Requester with non-default arguments
auth = TestAuth(123, "key")
requester = github.Requester.Requester(
auth=auth,
base_url="https://base.url",
timeout=1,
user_agent="user agent",
per_page=123,
verify=False,
retry=3,
pool_size=5,
seconds_between_requests=1.2,
seconds_between_writes=3.4,
lazy=True,
)

with self.assertRaises(AssertionError) as exc:
requester._Requester__makeAbsoluteUrl("https://github.com.malicious.com"),
self.assertEqual(exc.exception.args, "AssertionError: github.com.malicious.com")

for url in [
"github.com",
"uploads.github.com",
"status.github.com",
"objects.githubusercontent.com",
"release-assets.githubusercontent.com",
]:
self.assertEqual(requester._Requester__makeAbsoluteUrl(f"https://{url}"), "")

PrimaryRateLimitErrors = [
"API rate limit exceeded for x.x.x.x. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.)",
]
Expand Down