Fix: Mitigate Server-Side Request Forgery (SSRF) via Parser Differential

[ArshVermaGit]

Description

This PR addresses a critical Server-Side Request Forgery (SSRF) vulnerability in the /api/scripts/import_github endpoint.

Previously, the application validated external script URLs using urllib.parse.urlparse, but passed the raw, untrusted user string directly to urllib.request. Due to well-documented parser differentials between these two libraries, an attacker could craft complex URLs (using manipulated fragments, whitespace, or @ symbols) that urlparse would incorrectly validate as a GitHub domain, while urllib.request would resolve to an entirely different host (such as 127.0.0.1 or an internal metadata IP).

Resolved Issue

Resolves #128

Changes Made

• URL Canonicalization: Modified the import_github endpoint to reconstruct a brand new, safe URL string using only the explicitly validated scheme, hostname, and path/query components extracted by urlparse.
• The backend HTTP request now utilizes this reconstructed safe_url, completely stripping out any injected tricks or credentials.

Security Impact

By eliminating the parser differential, the backend is now guaranteed to only initiate requests to the exact IP addresses corresponding to the github.com or raw.githubusercontent.com domains. Attackers can no longer bypass the validation logic to scan internal infrastructure or interact with local services.

Testing

• Verified standard GitHub script imports function correctly.
• Simulated an SSRF payload (e.g., https://github.com@127.0.0.1/). Confirmed the application correctly detects the malicious hostname and blocks the request with a 400 Bad Request prior to executing the network call.

[ArshVermaGit]

Hi @siddu-k ! Issue #128 has been resolved. Please review the PR and merge it under GSSoC. Thanks!