Fix code scanning alert no. 18: Full server-side request forgery

arpitjain099 · github-advanced-security[bot] · web-flow · commit a9b392e3d732 · 2024-10-20T14:27:23.000+09:00
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/End_to_end_Solutions/InsightsGenerator/insights_generator/core/OAI_client.py b/End_to_end_Solutions/InsightsGenerator/insights_generator/core/OAI_client.py
@@ -3,12 +3,17 @@
 import os
 import pdb
 import tiktoken
+import urllib.parse
+
+def is_valid_url(url):
+    parsed_url = urllib.parse.urlparse(url)
+    return parsed_url.scheme in ["http", "https"] and parsed_url.netloc != ""
 
 def make_prompt_request(prompt, max_tokens = 2048, timeout = 4):
     # Whitelist of allowed URLs
     allowed_urls = ["https://api.openai.com/v1/embeddings", "https://another-trusted-url.com"]
     url = os.getenv("AOAI_ENDPOINT")
-    if url not in allowed_urls:
+    if not is_valid_url(url) or url not in allowed_urls:
         raise ValueError("The provided URL is not allowed.")
     key = os.getenv("AOAI_KEY")
                   
