From 0137a35d95c2731b554737bbb1476b90d8118095 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <michal@cihar.com>
Date: Thu, 27 Jun 2024 13:22:04 +0200
Subject: [PATCH] fix(utils): add simple validation of URL returned by GitHub

We need to trust GitHub API, but add simple safeguard so that CWE 99
scanners see the validation.
---
 weblate/utils/management/commands/sentry_deploy.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/weblate/utils/management/commands/sentry_deploy.py b/weblate/utils/management/commands/sentry_deploy.py
index 1a5fe0cdb24f..675f8039765a 100644
--- a/weblate/utils/management/commands/sentry_deploy.py
+++ b/weblate/utils/management/commands/sentry_deploy.py
@@ -4,6 +4,7 @@
 
 import requests
 from django.conf import settings
+from django.core.management.base import CommandError
 
 import weblate.utils.version
 from weblate.utils.management.base import BaseCommand
@@ -23,7 +24,11 @@ def handle(self, *args, **options) -> None:
             version = weblate.utils.version.TAG_NAME
             response = requests.get(TAGS_API.format(version), timeout=5)
             response.raise_for_status()
-            response = requests.get(response.json()["object"]["url"], timeout=5)
+            data = response.json()
+            object_url = data["object"]["url"]
+            if not object_url.startswith("https://api.github.com/"):
+                raise CommandError(f"Unexpected URL from GitHub: {object_url}")
+            response = requests.get(object_url, timeout=5)
             response.raise_for_status()
             ref = response.json()["object"]["sha"]