Fix security of GH api calls (#691)

cosenal · web-flow · commit fde12454f97b · 2026-01-23T14:39:50.000+01:00
* Fix security issues with GH api calls

* validate url
diff --git a/metriq_gym/exporters/github_pr_exporter.py b/metriq_gym/exporters/github_pr_exporter.py
@@ -13,6 +13,8 @@
 from metriq_gym.exporters.base_exporter import BaseExporter
 
 MAX_BRANCH_SUFFIX_ATTEMPTS = 1000
+GITHUB_API_NETLOC = "api.github.com"
+GITHUB_API_TIMEOUT_SECONDS = 30
 
 
 class GitHubPRExporter(BaseExporter):
@@ -232,6 +234,14 @@ def _headers(
             headers["Content-Type"] = content_type
         return headers
 
+    def _urlopen_github_api(self, req: urllib.request.Request):
+        url = req.full_url
+        parsed = urllib.parse.urlsplit(url)
+        if parsed.scheme != "https" or parsed.netloc.lower() != GITHUB_API_NETLOC:
+            raise ValueError(f"Refusing to open non-GitHub API URL: {url!r}")
+        opener = urllib.request.build_opener()
+        return opener.open(req, timeout=GITHUB_API_TIMEOUT_SECONDS)
+
     def _run(self, cmd: list[str]) -> None:
         try:
             subprocess.run(cmd, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
@@ -276,7 +286,7 @@ def _create_pull_request(
             method="POST",
         )
         try:
-            with urllib.request.urlopen(req) as resp:
+            with self._urlopen_github_api(req) as resp:
                 resp_data = json.loads(resp.read().decode("utf-8"))
         except urllib.error.HTTPError as e:
             raise RuntimeError(f"GitHub PR creation failed: {e.read().decode('utf-8')}") from e
@@ -300,7 +310,8 @@ def _add_labels_to_pull_request(
             method="POST",
         )
         try:
-            urllib.request.urlopen(req).read()
+            with self._urlopen_github_api(req) as resp:
+                resp.read()
         except urllib.error.HTTPError as e:
             raise RuntimeError(f"GitHub label add failed: {e.read().decode('utf-8')}") from e
 
@@ -346,7 +357,7 @@ def _get_authenticated_login(self, token: str) -> str:
             method="GET",
         )
         try:
-            with urllib.request.urlopen(req) as resp:
+            with self._urlopen_github_api(req) as resp:
                 data = json.loads(resp.read().decode("utf-8"))
         except urllib.error.HTTPError as e:
             raise RuntimeError(
@@ -370,7 +381,8 @@ def _ensure_fork(self, *, token: str, owner: str, repo: str, login: str) -> None
             method="POST",
         )
         try:
-            urllib.request.urlopen(req).read()
+            with self._urlopen_github_api(req) as resp:
+                resp.read()
         except urllib.error.HTTPError as e:
             # If fork already exists or immediate accept, ignore certain errors
             if e.code not in (202, 201):
@@ -396,7 +408,7 @@ def _repo_exists(self, token: str, *, owner: str, repo: str) -> bool:
             method="GET",
         )
         try:
-            with urllib.request.urlopen(req) as resp:
+            with self._urlopen_github_api(req) as resp:
                 return resp.getcode() == 200
         except urllib.error.HTTPError as e:
             if e.code == 404:
diff --git a/tests/unit/exporters/test_github_pr_exporter.py b/tests/unit/exporters/test_github_pr_exporter.py
@@ -0,0 +1,41 @@
+import urllib.request
+
+import pytest
+
+from metriq_gym.benchmarks.benchmark import BenchmarkResult
+from metriq_gym.exporters.github_pr_exporter import (
+    GITHUB_API_TIMEOUT_SECONDS,
+    GitHubPRExporter,
+)
+
+
+def test_urlopen_github_api_passes_timeout(metriq_job, monkeypatch):
+    exporter = GitHubPRExporter(metriq_job, BenchmarkResult())
+    called = {}
+
+    class FakeOpener:
+        def open(self, req, timeout=None):
+            called["url"] = req.full_url
+            called["timeout"] = timeout
+            return object()
+
+    monkeypatch.setattr(urllib.request, "build_opener", lambda: FakeOpener())
+
+    req = urllib.request.Request("https://api.github.com/user", method="GET")
+    exporter._urlopen_github_api(req)
+
+    assert called == {"url": "https://api.github.com/user", "timeout": GITHUB_API_TIMEOUT_SECONDS}
+
+
+def test_urlopen_github_api_rejects_non_https(metriq_job):
+    exporter = GitHubPRExporter(metriq_job, BenchmarkResult())
+    req = urllib.request.Request("http://api.github.com/user", method="GET")
+    with pytest.raises(ValueError, match="Refusing to open non-GitHub API URL"):
+        exporter._urlopen_github_api(req)
+
+
+def test_urlopen_github_api_rejects_unexpected_host(metriq_job):
+    exporter = GitHubPRExporter(metriq_job, BenchmarkResult())
+    req = urllib.request.Request("https://example.com/user", method="GET")
+    with pytest.raises(ValueError, match="Refusing to open non-GitHub API URL"):
+        exporter._urlopen_github_api(req)
