How to resolve server-side request forgery (SSRF) warning for a HTTP request that takes Python package names as input?

I’m working on a function that returns a HTTP response from https://pypi.org/simple/ when Python’s pip installer requests it for a package. When pushing my code onto GitHub, the CodeQL checks warn of the risk of server side request forgery… Continue reading How to resolve server-side request forgery (SSRF) warning for a HTTP request that takes Python package names as input?

Primary techniques to prevent against hacks when passing user input to CLI arguments?

What are the main kinds of hacks that can be used when passing user input from the command line, and what are the key techniques to prevent against them (like to prevent against browser XSS attacks, you typically escape the HTML before ren… Continue reading Primary techniques to prevent against hacks when passing user input to CLI arguments?

Is there any benefit to normalize unicode/utf-8 names that I am overlooking?

Reading how Spotify was normalizing unicode inconsistently, and now I’m questioning if I am overlooking any issue on accepting non-normalized usernames.
From what I can tell, lowercase was first used on unix because users had to log in fro… Continue reading Is there any benefit to normalize unicode/utf-8 names that I am overlooking?

What are vulnerabilities of saving user input directly in wordpress plugin?

I have a WordPress plugin that helps create an organization chart/tree and then generates a URL where the chart is available to be viewed by the public.
The plugin dashboard looks like this
the plugin uses window alerts to input from the u… Continue reading What are vulnerabilities of saving user input directly in wordpress plugin?