git-market/vinta-awesome-python
1
0
Fork 0
mirror of https://github.com/vinta/awesome-python.git synced 2026-04-11 02:11:42 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #3007 from orbisai0security/fix-fix-v-006-graphql-injection-sanitization

Browse Source 
fix: use subprocess instead of os.system in fetch_github_stars.py
This commit is contained in:
Vinta Chen 2026-03-30 15:01:18 +08:00 committed by GitHub
commit 87c5f3bde9
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
website/fetch_github_stars.py
View File

@ -19,6 +19,10 @@ README_PATH = Path(__file__).parent.parent / "README.md"
GRAPHQL_URL = "https://api.github.com/graphql" GRAPHQL_URL = "https://api.github.com/graphql"
BATCH_SIZE = 50 BATCH_SIZE = 50
# Allowlist for valid GitHub owner/repo name characters.
# GitHub usernames and repo names only allow letters, digits, hyphens, underscores, and dots.
_GITHUB_NAME_RE = re.compile(r"^[a-zA-Z0-9._-]+$")
def extract_github_repos(text: str) -> set[str]: def extract_github_repos(text: str) -> set[str]:
"""Extract unique owner/repo pairs from GitHub URLs in markdown text.""" """Extract unique owner/repo pairs from GitHub URLs in markdown text."""
@ -46,7 +50,7 @@ def build_graphql_query(repos: list[str]) -> str:
parts = [] parts = []
for i, repo in enumerate(repos): for i, repo in enumerate(repos):
owner, name = repo.split("/", 1) owner, name = repo.split("/", 1)
if '"' in owner or '"' in name: if not _GITHUB_NAME_RE.match(owner) or not _GITHUB_NAME_RE.match(name):
continue continue
parts.append( parts.append(
f'repo_{i}: repository(owner: "{owner}", name: "{name}") ' f'repo_{i}: repository(owner: "{owner}", name: "{name}") '