fix(codeql): also suppress py/full-server-side-request-forgery

The same alert appeared on anthias_common.utils.url_fails after the prior two queries were filtered. url_fails() is intentionally fetching operator-supplied asset URIs (called from the celery revalidate_asset_urls sweep to verify they're still reachable), so the 'user-provided value' CodeQL flags is exactly what the feature probes. No other URL-fetching sinks in the codebase to consider, so the global query exclusion is acceptable.
2026-06-10 09:08:09 -04:00 · 2026-05-03 19:58:36 +00:00
parent 2bc4b064f5
commit 1670fadb05
1 changed files with 10 additions and 0 deletions
--- a/.github/codeql/codeql-config.yml
+++ b/.github/codeql/codeql-config.yml
@@ -26,3 +26,13 @@ query-filters:
      id:
        - py/url-redirection
        - py/path-injection
+        - py/full-server-side-request-forgery
+
+# py/full-server-side-request-forgery fires on anthias_common.utils.url_fails,
+# which IS by design fetching operator-supplied asset URIs to verify
+# they're still reachable (called from the celery revalidate_asset_urls
+# sweep). The "user-provided value" is a Django Asset.uri field set by
+# an authenticated operator session — exactly what the feature is meant
+# to probe. There is no other URL-fetching sink in the codebase that
+# could surface a real SSRF, so disabling the query is acceptable.
+