From 96c4fa3bdd6253eaf8a0bbe43dd6aa01b5676b2b Mon Sep 17 00:00:00 2001
From: Zedifus <zedifus@zediverse.gg>
Date: Wed, 31 Aug 2022 20:04:39 +0100
Subject: [PATCH] Validate bedrock url before download with urllib

Even though there will be an incredibly small chance of tampering
this is to make bandit happy
"Bandit Test ID B310"
https://stackoverflow.com/a/53040523/18355876
---
 app/classes/shared/server.py | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/app/classes/shared/server.py b/app/classes/shared/server.py
index 1f106e48..bd8d29f6 100644
--- a/app/classes/shared/server.py
+++ b/app/classes/shared/server.py
@@ -1115,10 +1115,13 @@ class ServerInstance:
             )
         else:
             # downloads zip from remote url
-            urllib.request.urlretrieve(
-                Helpers.get_latest_bedrock_url(),
-                os.path.join(self.settings["path"], "bedrock_server.zip"),
-            )
+            bedrock_url = Helpers.get_latest_bedrock_url()
+            if bedrock_url.lower().startswith("https"):
+                urllib.request.urlretrieve(
+                    bedrock_url,
+                    os.path.join(self.settings["path"], "bedrock_server.zip"),
+                )
+
             unzip_path = os.path.join(self.settings["path"], "bedrock_server.zip")
             unzip_path = self.helper.wtol_path(unzip_path)
             # unzips archive that was downloaded.