MCPcopy
hub / github.com/GitGuardian/ggshield / _assert_base_url_https

Function _assert_base_url_https

ggshield/core/plugin/client.py:90–110  ·  view source on GitHub ↗

Refuse to send authenticated traffic to an http:// base URL. The instance URL is normally validated by ``validate_instance_url`` at ``auth login`` time, which already rejects non-HTTPS schemes outside of loopback. This guard catches the residual cases — a manually edited config or a

(base_url: str)

Source from the content-addressed store, hash-verified

88
89
90def _assert_base_url_https(base_url: str) -> None:
91 """Refuse to send authenticated traffic to an http:// base URL.
92
93 The instance URL is normally validated by ``validate_instance_url`` at
94 ``auth login`` time, which already rejects non-HTTPS schemes outside
95 of loopback. This guard catches the residual cases — a manually
96 edited config or a non-loopback http base that slipped through — so
97 the API token can't be sent in cleartext before the response-side
98 redirect check has anything to inspect.
99
100 The same ``GITGUARDIAN_ALLOW_INSECURE_LOOPBACK=1`` bypass used by
101 ``assert_all_https`` applies here, so local dev against
102 ``http://localhost:3000`` keeps working.
103 """
104 if base_url.startswith("https://"):
105 return
106 if is_insecure_loopback_allowed() and is_loopback(base_url):
107 return
108 raise PluginAPIError(
109 f"Refusing to send authenticated request to non-HTTPS base URL {base_url!r}"
110 )
111
112
113class PluginSourceType(Enum):

Calls 3

is_loopbackFunction · 0.90
PluginAPIErrorClass · 0.85