chore: A2A sample #32
Conversation
![semgrep-code-auth0-lab[bot]](https://avatars.githubusercontent.com/in/1042763?s=60&v=4){kind=small}
examples/a2a/hr_agent/server.py
Outdated
| try: | ||
| user_id = get_user_id_by_email(work_email) | ||
| access_token = get_hr_api_access_token(user_id=user_id) | ||
| response = requests.get(f"{os.getenv('HR_API_BASE_URL')}/employees/{user_id}", headers={ |
There was a problem hiding this comment.
Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.
⭐ Removed in commit d39ca7b ⭐
siacomuzzi
force-pushed
the
a2a_sample
branch
2 times, most recently
from
d39ca7b to
102fac3
Compare
Pending
How it works