From a9b392e3d7326e82fb49f2689341e51c0921e74d Mon Sep 17 00:00:00 2001
From: Arpit Jain <3242828+arpitjain099@users.noreply.github.com>
Date: Sun, 20 Oct 2024 14:27:23 +0900
Subject: [PATCH] Fix code scanning alert no. 18: Full server-side request
 forgery

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .../insights_generator/core/OAI_client.py                  | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/End_to_end_Solutions/InsightsGenerator/insights_generator/core/OAI_client.py b/End_to_end_Solutions/InsightsGenerator/insights_generator/core/OAI_client.py
index 498d76be..f427761b 100644
--- a/End_to_end_Solutions/InsightsGenerator/insights_generator/core/OAI_client.py
+++ b/End_to_end_Solutions/InsightsGenerator/insights_generator/core/OAI_client.py
@@ -3,12 +3,17 @@
 import os
 import pdb
 import tiktoken
+import urllib.parse
+
+def is_valid_url(url):
+    parsed_url = urllib.parse.urlparse(url)
+    return parsed_url.scheme in ["http", "https"] and parsed_url.netloc != ""
 
 def make_prompt_request(prompt, max_tokens = 2048, timeout = 4):
     # Whitelist of allowed URLs
     allowed_urls = ["https://api.openai.com/v1/embeddings", "https://another-trusted-url.com"]
     url = os.getenv("AOAI_ENDPOINT")
-    if url not in allowed_urls:
+    if not is_valid_url(url) or url not in allowed_urls:
         raise ValueError("The provided URL is not allowed.")
     key = os.getenv("AOAI_KEY")