Bump bandit from 1.7.4 to 1.8.6

dependabot[bot] · nikolas · commit b93c55df5627 · 2025-10-29T14:13:43.000-04:00
Bumps [bandit](https://github.com/PyCQA/bandit) from 1.7.4 to 1.8.6. - [Release notes](https://github.com/PyCQA/bandit/releases) - [Commits](PyCQA/bandit@1.7.4...1.8.6) --- updated-dependencies: - dependency-name: bandit dependency-version: 1.8.6 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
diff --git a/requirements.txt b/requirements.txt
@@ -104,7 +104,8 @@ ctlsettings==0.4.3
 pbr==7.0.0
 PyYAML==6.0.2
 stevedore==5.5.0
-bandit==1.7.4
+rich==14.2.0  # bandit
+bandit==1.8.6
 
 defusedxml==0.7.1
 lxml==6.0.0
diff --git a/wardenclyffe/main/views.py b/wardenclyffe/main/views.py
@@ -1378,7 +1378,12 @@ def _subscription_confirmation(self, request):
         if "SubscribeURL" not in message:
             return HttpResponse("no subscribe url", status=400)
         url = message["SubscribeURL"]
-        r = requests.get(url)
+        parsed_url = urlparse(url)
+
+        if parsed_url.scheme != 'https':
+            return HttpResponse('invalid subscribe url', status=400)
+
+        r = requests.get(url, timeout=5)
         if r.status_code == 200:
             return HttpResponse("OK")
         return HttpResponse("Failed to confirm")
diff --git a/wardenclyffe/mediathread/tasks.py b/wardenclyffe/mediathread/tasks.py
@@ -96,7 +96,7 @@ def submit_to_mediathread(operation):
         audio, width, height
     )
 
-    r = requests.post(mediathread_base + "save/", params)
+    r = requests.post(mediathread_base + "save/", params, timeout=5)
     if r.status_code == 200:
         # requests follows redirects, so we need to get the location
         # out of the history
@@ -136,7 +136,7 @@ def update_mediathread(operation):
 
     params = mediathread_update_params(video, mediathread_secret)
 
-    r = requests.post(mediathread_base + 'update/', params)
+    r = requests.post(mediathread_base + 'update/', params, timeout=5)
     if r.status_code == 200:
         return ("complete", "")
     elif r.status_code == 404:
diff --git a/wardenclyffe/mediathread/views.py b/wardenclyffe/mediathread/views.py
@@ -109,7 +109,7 @@ class MediathreadCourseGetter(object):
     def run(self, username):
         try:
             url = mediathread_url(username)
-            r = requests.get(url)
+            r = requests.get(url, timeout=5)
             courses = r.json()['courses']
             courses = [dict(id=k, title=v['title'])
                        for (k, v) in courses.items()]
