fix(bundler): reject host-less catalog URLs in adapters (use hostname, not netloc)#3333
Open
Quratulain-bilal wants to merge 1 commit into
Open
fix(bundler): reject host-less catalog URLs in adapters (use hostname, not netloc)#3333Quratulain-bilal wants to merge 1 commit into
Quratulain-bilal wants to merge 1 commit into
Conversation
…, not netloc) _validate_remote_url in bundler/services/adapters.py guarded on parsed.netloc, which is truthy for host-less URLs like "https://:8080" or "https://user@" even though they carry no host. so those passed the "must be a valid URL with a host" check. its docstring says it mirrors specify_cli.catalogs validation, but that site was already fixed to use hostname in github#3210/github#3227 and this twin was missed. switch to parsed.hostname (None for host-less URLs), matching catalogs.py. this guard runs before any network call, so it is a pre-flight safety check. add parametrized regression tests for the host-less forms plus a valid host+port sanity case.
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes a URL validation gap in the bundler catalog adapter by rejecting “host-less” HTTPS URLs (e.g. https://:8080, https://user@) that previously slipped through due to relying on urlparse(...).netloc rather than hostname. This aligns bundler behavior with the established validator behavior in specify_cli.catalogs.
Changes:
- Update
_validate_remote_urlto requireparsed.hostname(notparsed.netloc) so port-only/userinfo-only URLs are rejected. - Add regression tests covering multiple host-less URL shapes plus a valid host+port sanity case.
Show a summary per file
| File | Description |
|---|---|
src/specify_cli/bundler/services/adapters.py |
Tightens pre-flight remote URL validation by checking parsed.hostname to correctly reject host-less URLs. |
tests/unit/test_bundler_adapters.py |
Adds parametrized regression tests for host-less URL forms and one valid host+port case. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 0
- Review effort level: Low
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fixes #3332
what
_validate_remote_urlinbundler/services/adapters.pyguarded onparsed.netloc, which is truthy for host-less URLs (https://:8080,https://user@) even though they carry no host — so they passed the "must be a valid URL with a host" check. the docstring says it mirrorsspecify_cli.catalogsvalidation, but that site was fixed to usehostnamein #3210/#3227 and this twin was missed.how
check
parsed.hostname(None for host-less URLs) instead ofparsed.netloc, matching catalogs.py. this guard runs before any network call, so it's a pre-flight safety check.reproduction (fixed)
tests
added parametrized regression tests for the host-less forms (
https://:8080,https://:0,https://user@,https://user:pw@,https://:8080/catalog.json) plus a valid host+port sanity case. verified they fail on the current code and pass with the fix; the full adapters test file pas