CodeQL: How to resolve partial Server-Side Request Forgery warning when taking user-based input as a FastAPI endpoint?

I am cross-posting here on Information Security as well to request input on the security of the Python code I’ve written and whether it can be considered a false positive.
I’m writing a function to return a file from an msys2 package repo,… Continue reading CodeQL: How to resolve partial Server-Side Request Forgery warning when taking user-based input as a FastAPI endpoint?

Validating file paths to satisfy GitHub CodeQL’s "Uncontrolled data used in path expression" alert [migrated]

I’m writing functions for a Python package to register files from a file system to an SQL database, and GitHub’s CodeQL has flagged that the file paths are a potential security risk.
I have constructed a basic validator to make sure that o… Continue reading Validating file paths to satisfy GitHub CodeQL’s "Uncontrolled data used in path expression" alert [migrated]

How to resolve server-side request forgery (SSRF) warning for a HTTP request that takes Python package names as input?

I’m working on a function that returns a HTTP response from https://pypi.org/simple/ when Python’s pip installer requests it for a package. When pushing my code onto GitHub, the CodeQL checks warn of the risk of server side request forgery… Continue reading How to resolve server-side request forgery (SSRF) warning for a HTTP request that takes Python package names as input?