LGTM.com - false positive - XXX may be at an arbitrary position in the sanitized URL.

[LefterisJP]

Description of the false positive

We got a warning that a string may be at an arbitrary position in the sanitized URL. After looking at the code and at the warning's explanation I can definitely understand the sentiment of the warning but it is a bit opinionated. Can't assume that every time there is such a check there is a vulnerability hidden.

For example in this code's case it checks if infura.io is in the URL (can have various permutations so not using startswith) and if it is we try to make it easier for the user by using a different querying range. There is no danger whatsoever if somehow there is infura.io in a non correct part of the url.

URL to the alert on the project page on LGTM.com

https://lgtm.com/projects/g/rotki/rotki/snapshot/67b7fedfc510b557a4ecd6d6d8c5bd32dbfeb2e6/files/rotkehlchen/chain/ethereum/manager.py?sort=name&dir=ASC&mode=heatmap#x11dc760fe6c8da89:1

[RasmusWL]

Hi @LefterisJP, thanks for reporting this 👍 I agree that while a user could probably trick your service to do something a bit strange by including infura.io in a URL while the service is handling results from a different broker than infura.io, it doesn't seem to be a security concern.

I don't see a way to easily fix this on top of my head, so while waiting for us to (hopefully) fix this in the future, if you want to suppress the alert, you can add lgtm [py/incomplete-url-substring-sanitization] anywhere in a comment on the same line as the alert.