URL Validation Bypass #39
Description
The URL validation check is:
if not ("github.com" in repo_url or "gitlab.com" in repo_url):
raise click.BadParameter(...)
This check verifies only that the strings github.com or gitlab.com appear anywhere in the URL, without parsing the actual hostname. It can be bypassed with:
https://github.com@evil.com/repo
https://github.com.attacker.com/repo
In the first case, Git interprets github.com as credentials and contacts evil.com as the actual host. PySpector will then clone a repository fully controlled by the "attacker".