Skip to content

GeoTIFF: case-insensitive HTTP(S) scheme routing for SSRF protection (#2321 sub-task 5) #2332

Open
#2337
Open
GeoTIFF: case-insensitive HTTP(S) scheme routing for SSRF protection (#2321 sub-task 5)#2332
#2337
Labels
bugSomething isn't workinggeotiffGeoTIFF module
@brendancol

Description

@brendancol
brendancol
opened on May 23, 2026

Several call sites in xrspatial/geotiff/ route on startswith(('http://', 'https://')). That is case-sensitive, so HTTP://example.internal/... (uppercase) slips past _HTTPSource, skips the SSRF / DNS-pinning checks, and falls through to fsspec.

Fix: add a single _is_http_source(s) helper that does urlparse(s).scheme.lower() in ('http', 'https'), and route every call site through it.

Call sites to update (verify and replace all):

  • xrspatial/geotiff/_sources.py:1458, 1639
  • xrspatial/geotiff/_reader.py:145
  • xrspatial/geotiff/_writer.py:1244
  • xrspatial/geotiff/_backends/gpu.py:350, 1056
  • xrspatial/geotiff/_backends/dask.py:199
  • xrspatial/geotiff/_sidecar.py:46 (the existing _is_http_url helper is also case-sensitive)

Tests: uppercase HTTP:// routes through _HTTPSource; uppercase URLs targeting 127.0.0.1, 169.254.169.254, and localhost are still rejected by the SSRF check.

Acceptance: no security-relevant dispatch uses case-sensitive startswith. HTTP(S) SSRF protection applies regardless of scheme casing. Regression tests cover uppercase schemes and private-host rejection.

Parent: #2321 (sub-task 5).

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workinggeotiffGeoTIFF module

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions