Support tools that require oauth #32

imranq2 · 2025-04-22T21:25:19Z

No description provided.

aikido-pr-checks · 2025-06-12T20:28:51Z

language_model_gateway/gateway/routers/oauth_router.py

+            token_response = requests.post(
+                well_known_configuration.token_endpoint, data=token_data
+            )


Potential user input in HTTP request may allow SSRF attack - medium severity
If an attacker can control the URL input leading into this HTTP request, the attack might be able to perform an SSRF attack. This kind of attack is even more dangerous if the application returns the response of the request to the user. It could allow them to retrieve information from higher privileged services within the network (such as the metadata service, which is commonly available in cloud services, and could allow them to retrieve credentials).

Remediation - medium confidence
This patch mitigates the opening of potentially unsafe URLs by implementing validation for URLs passed to urllib_urlopen.

Suggested change

token_response = requests.post(

well_known_configuration.token_endpoint, data=token_data

)

token_endpoint = well_known_configuration.token_endpoint

if not token_endpoint.startswith(('https://', 'http://')):

raise ValueError("Invalid token endpoint URL")

token_response = requests.post(token_endpoint, data=token_data)

^{View details in Aikido Security}

imranq2 added 24 commits February 1, 2025 10:00

add meeting analyzer

3af96fd

add meeting type to meeting analyzer

73508cf

add step to ask for meeting type to meeting analyzer

87037cf

add step to ask for meeting type to meeting analyzer

2ca9619

add step to evaluate contributor perf to meeting analyzer

ed97dde

add step to evaluate contributor perf to meeting analyzer

65c769a

add token reader

1cf1602

ad oauth_router.py

09ea14d

add oauth_router.py

253f619

get redirect to login working

d8d490c

add config

3d6c527

add well_known_configuration_reader.py

f294158

add well_known_configuration_reader to container

9fa41fa

add well_known_configuration_reader to container

2cc6869

add message to auth

dc06667

refactor oauth_router.py

371b056

Merge branch 'refs/heads/main' into meeting-analyzer

3506aab

refactor oauth_router.py

61b8870

add mock

04a3d1b

update router to support authorization grant

f490f8e

update router to support authorization grant

3b653ef

add client id

c2b6010

try a different approach to test_protected.py

eade083

try a different approach to test_protected.py

72d8046

aikido-pr-checks bot reviewed Jun 12, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Support tools that require oauth #32

Support tools that require oauth #32

Uh oh!

imranq2 commented Apr 22, 2025

Uh oh!

aikido-pr-checks bot Jun 12, 2025

Uh oh!

Uh oh!

-            token_response = requests.post(
-                well_known_configuration.token_endpoint, data=token_data
-            )
+            token_endpoint = well_known_configuration.token_endpoint
+            if not token_endpoint.startswith(('https://', 'http://')):
+                raise ValueError("Invalid token endpoint URL")
+            token_response = requests.post(token_endpoint, data=token_data)

Support tools that require oauth #32

Are you sure you want to change the base?

Support tools that require oauth #32

Uh oh!

Conversation

imranq2 commented Apr 22, 2025

Uh oh!

aikido-pr-checks bot Jun 12, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!