fix(bundler): validate catalog URLs in catalog add (HTTPS-only, require host)#3367
Open
marcelsafin wants to merge 2 commits into
Open
fix(bundler): validate catalog URLs in catalog add (HTTPS-only, require host)#3367marcelsafin wants to merge 2 commits into
catalog add (HTTPS-only, require host)#3367marcelsafin wants to merge 2 commits into
Conversation
…uire host) add_source persisted remote catalog URLs without the HTTPS/host checks that specify_cli.catalogs (github#3210) and the bundler adapters (github#3333) enforce, and an unclosed IPv6 bracket escaped as a raw ValueError. Mirror the catalogs.py validation for http(s) schemes and wrap urlparse so malformed input raises BundlerError. Fixes github#3366 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes specify bundle catalog add so it validates remote catalog URLs before persisting them to the project’s bundler catalog config, preventing insecure/invalid URLs from being stored and ensuring malformed inputs raise BundlerError instead of leaking ValueError tracebacks.
Changes:
- Add HTTPS-only enforcement for non-localhost
http(s)://catalog URLs and require a real host (viaparsed.hostname) at add time. - Guard URL parsing in
_is_local_path/add_sourceso malformed URLs (e.g., invalid IPv6 brackets) don’t crash the command. - Add unit tests covering plain-HTTP rejection, localhost-HTTP allowance, host-less rejection, and malformed IPv6 error wrapping for both add/remove flows.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/specify_cli/bundler/commands_impl/catalog_config.py | Adds URL parsing guards and enforces HTTPS/host validation for remote catalog URLs during add_source (plus safer handling in _is_local_path). |
| tests/unit/test_bundler_catalog_config.py | Adds regression tests for the new validation behavior and malformed IPv6 handling. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+159
to
+163
| # Mirror specify_cli.catalogs / bundler adapters URL validation | ||
| # (#3209/#3210): HTTPS only (HTTP just for localhost), and check | ||
| # hostname, not netloc — netloc is truthy for host-less URLs like | ||
| # "https://:8080" or "https://user@". Validating here keeps junk out | ||
| # of catalogs.yaml instead of failing later at fetch time. |
Author
There was a problem hiding this comment.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fixes #3366
specify bundle catalog addpersisted remote catalog URLs intocatalogs.yamlwithout any HTTPS or host validation, and a malformed IPv6 URL (https://[::1/c.json) escaped the command'sexcept BundlerErrorhandler as a rawValueErrortraceback.Root cause:
add_sourceinbundler/commands_impl/catalog_config.pyis the third copy of the catalog-URL validation contract —specify_cli.catalogs._validate_catalog_url(#3210) andbundler/services/adapters._validate_remote_url(#3333) both enforce HTTPS-only (HTTP for localhost) with ahostnamecheck, but the CLI entry point that actually writes the config had neither.Before:
http://evil.example.com/catalog.json,https://:8080,https://user@→✓ Added catalog ...(fails later at fetch time);https://[::1/c.json→ traceback.After: all four rejected with a clear
BundlerErrorat add time;file://,builtin://, local paths, andhttp://localhostunaffected.Also guarded the
urlparsecall in_is_local_pathsoremove_source's canonicalization fallback doesn't crash on the same malformed input.Testing
uv run specify --helpuv sync && uv run pytest— 3832 passed, 87 skipped5 new unit tests in
tests/unit/test_bundler_catalog_config.py: plain-HTTP rejection, localhost-HTTP allowance, host-less rejection (https://:8080,https://user@), andBundlerError(notValueError) on malformed IPv6 for bothadd_sourceandremove_source.AI Disclosure
Bug found, patch and tests written with GitHub Copilot CLI; all changes reviewed, and the reproduction + full test suite run and verified locally by me.