Skip to content

service: guard against cross-origin __next URL redirection#308

Open
phanak-sap wants to merge 1 commit into
masterfrom
nextCrossOrigin
Open

service: guard against cross-origin __next URL redirection#308
phanak-sap wants to merge 1 commit into
masterfrom
nextCrossOrigin

Conversation

@phanak-sap

Copy link
Copy Markdown
Contributor

OData servers can legitimately paginate across path segments, but the
__next value is server-controlled and untrusted. Validate that its origin
(scheme + host + port) matches the configured service root before
dispatching, so session-level credentials are never forwarded to a host
the application did not configure. Raises PyODataException on mismatch.

Fix is applied in ODataHttpRequest._build_request(), the single point
both execute() (sync) and async_execute() (async) pass through, so one
check covers all dispatch paths. Depends on stdlib urllib.parse only,
keeping pyodata networking-library agnostic.

@phanak-sap

Copy link
Copy Markdown
Contributor Author

Build will currently fail because PR #307 not yet merged.

Important should be passing of both newly added tests (passing localy)

pytest tests/test_service_v2.py::test_next_url_cross_origin_raises tests/test_service_v2.py::test_next_url_same_origin_allowed

@phanak-sap phanak-sap added the enhancement New feature or request label Jul 9, 2026
@phanak-sap phanak-sap requested a review from filak-sap July 9, 2026 15:22

@filak-sap filak-sap left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just do not open PRs if you know that tests are failing and another fixing the tests is pending please! Now merge the tests fixing PR and rebase this one.

  OData servers can legitimately paginate across path segments, but the
  __next value is server-controlled and untrusted. Validate that its origin
  (scheme + host + port) matches the configured service root before
  dispatching, so session-level credentials are never forwarded to a host
  the application did not configure. Raises PyODataException on mismatch.

  Fix is applied in ODataHttpRequest._build_request(), the single point
  both execute() (sync) and async_execute() (async) pass through, so one
  check covers all dispatch paths. Depends on stdlib urllib.parse only,
  keeping pyodata networking-library agnostic.
@phanak-sap

Copy link
Copy Markdown
Contributor Author

Just do not open PRs if you know that tests are failing and another fixing the tests is pending please! Now merge the tests fixing PR and rebase this one.

sure, that was indeed the intended path forward for me.

@phanak-sap phanak-sap requested a review from filak-sap July 10, 2026 19:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants