Skip to content

fix(security): validate ATS URL hosts#19

Merged
saagpatel merged 1 commit into
polish/v1.0-improvementsfrom
codex/fix/url-host-validation
May 18, 2026
Merged

fix(security): validate ATS URL hosts#19
saagpatel merged 1 commit into
polish/v1.0-improvementsfrom
codex/fix/url-host-validation

Conversation

@saagpatel
Copy link
Copy Markdown
Owner

@saagpatel saagpatel commented May 18, 2026

What

  • Replace ATS domain substring checks with parsed hostname validation.
  • Apply the shared helper to Ashby, Greenhouse, Indeed, and LinkedIn URL checks.
  • Add regression coverage for lookalike ATS hosts.

Why

  • CodeQL flagged substring URL validation after CodeQL was enabled for JobCommandCenter.

How

  • Parse URLs and accept only the trusted domain or a true subdomain.
  • Preserve existing redirect/manual-review behavior while tightening host checks.

Testing

  • cd sidecar && python3 -m pytest -q tests/test_ashby.py tests/test_greenhouse.py tests/test_indeed.py tests/test_linkedin.py -q
  • cd sidecar && python3 -m ruff check touched sidecar files

Performance Impact

  • None expected; URL parsing is local and negligible.

Risk / Notes

  • Greenhouse URL parsing was rewritten to avoid whole-URL regex matching; supported board, job-board, subdomain, and gh_jid patterns remain covered by tests.

@saagpatel
fix(security): validate ATS URL hosts
5456db8 
- Replace substring domain checks with parsed hostname validation.

- Add regression coverage for lookalike ATS hosts.

Tests: cd sidecar && python3 -m pytest -q tests/test_ashby.py tests/test_greenhouse.py tests/test_indeed.py tests/test_linkedin.py -q (passed); python3 -m ruff check touched sidecar files (passed)
@saagpatel saagpatel merged commit e6751c2 into polish/v1.0-improvements May 18, 2026
3 checks passed
@saagpatel saagpatel deleted the codex/fix/url-host-validation branch May 18, 2026 09:42
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed May 18, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5456db8beb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread sidecar/src/utils/urls.py

def hostname_matches(url: str, trusted_domain: str) -> bool:
"""Return true when a URL host is the trusted domain or its subdomain."""
parsed = urlparse(url)
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Handle malformed URLs without raising

When a job has a malformed apply_url such as http://[::1, urlparse raises ValueError, so adapter validate() calls now escape instead of returning the validation-error list promised by BaseAdapter.validate. The previous substring checks simply reported the URL as invalid; wrapping parsing failures and returning False would preserve that behavior for bad user/input data.

Useful? React with 👍 / 👎.

Comment thread sidecar/src/adapters/greenhouse.py
Comment on lines +62 to +63
hostname_matches(url, _GREENHOUSE_ROOT)
and host not in _GREENHOUSE_BOARDS_HOSTS
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Reject bare Greenhouse hosts before extracting board token

When apply_url is a bare-root Greenhouse URL like https://greenhouse.io/jobs/12345 and no explicit board_token is supplied, this condition passes because hostname_matches accepts the root domain; the return below then uses greenhouse.io as the board token and calls the boards API with a bogus board instead of rejecting an unsupported URL shape. The supported subdomain pattern requires a company host, so this branch should exclude host == _GREENHOUSE_ROOT before deriving the token.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@saagpatel