fix(bundler): validate catalog URLs in catalog add (HTTPS-only, require host)#3367
Merged
mnriem merged 2 commits intoJul 7, 2026
Merged
Conversation
…uire host) add_source persisted remote catalog URLs without the HTTPS/host checks that specify_cli.catalogs (github#3210) and the bundler adapters (github#3333) enforce, and an unclosed IPv6 bracket escaped as a raw ValueError. Mirror the catalogs.py validation for http(s) schemes and wrap urlparse so malformed input raises BundlerError. Fixes github#3366 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes specify bundle catalog add so it validates remote catalog URLs before persisting them to the project’s bundler catalog config, preventing insecure/invalid URLs from being stored and ensuring malformed inputs raise BundlerError instead of leaking ValueError tracebacks.
Changes:
- Add HTTPS-only enforcement for non-localhost
http(s)://catalog URLs and require a real host (viaparsed.hostname) at add time. - Guard URL parsing in
_is_local_path/add_sourceso malformed URLs (e.g., invalid IPv6 brackets) don’t crash the command. - Add unit tests covering plain-HTTP rejection, localhost-HTTP allowance, host-less rejection, and malformed IPv6 error wrapping for both add/remove flows.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/specify_cli/bundler/commands_impl/catalog_config.py | Adds URL parsing guards and enforces HTTPS/host validation for remote catalog URLs during add_source (plus safer handling in _is_local_path). |
| tests/unit/test_bundler_catalog_config.py | Adds regression tests for the new validation behavior and malformed IPv6 handling. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Collaborator
|
Thank you! |
kanfil
added a commit
to tikalk/agentic-sdlc-spec-kit
that referenced
this pull request
Jul 7, 2026
Upstream commits merged (9): - 4bb5166 Add Charter extension to community catalog (github#3363) - 1930f89 fix: extension-local script path rewriting (github#3364) - 0e40438 Update Ralph Loop extension to v1.2.1 (github#3365) - 2b5e175 fix(bundler): validate catalog URLs in catalog add (github#3367) - abaed10 chore: release 0.12.6, begin 0.12.7.dev0 (github#3393) - d4e7d2b feat(integrations): generalize post-processing to all format types (github#3311) - 1935cf7 Update Ripple extension to v1.1.0 (github#3370) - 7839acc Update DocGuard extension to v0.30.0 (github#3371) - f764270 Add Orchestration Task Context Management extension (github#3372) Conflict resolution: pyproject.toml (trivial version), agents.py (3-way merge of fork _skip_primary alias-only restructure + upstream extension_id threading + post_process_command_content hook). Assisted-by: OpenCode (model: glm-5.2, autonomous)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fixes #3366
specify bundle catalog addpersisted remote catalog URLs intocatalogs.yamlwithout any HTTPS or host validation, and a malformed IPv6 URL (https://[::1/c.json) escaped the command'sexcept BundlerErrorhandler as a rawValueErrortraceback.Root cause:
add_sourceinbundler/commands_impl/catalog_config.pyis the third copy of the catalog-URL validation contract —specify_cli.catalogs._validate_catalog_url(#3210) andbundler/services/adapters._validate_remote_url(#3333) both enforce HTTPS-only (HTTP for localhost) with ahostnamecheck, but the CLI entry point that actually writes the config had neither.Before:
http://evil.example.com/catalog.json,https://:8080,https://user@→✓ Added catalog ...(fails later at fetch time);https://[::1/c.json→ traceback.After: all four rejected with a clear
BundlerErrorat add time;file://,builtin://, local paths, andhttp://localhostunaffected.Also guarded the
urlparsecall in_is_local_pathsoremove_source's canonicalization fallback doesn't crash on the same malformed input.Testing
uv run specify --helpuv sync && uv run pytest— 3832 passed, 87 skipped5 new unit tests in
tests/unit/test_bundler_catalog_config.py: plain-HTTP rejection, localhost-HTTP allowance, host-less rejection (https://:8080,https://user@), andBundlerError(notValueError) on malformed IPv6 for bothadd_sourceandremove_source.AI Disclosure
Bug found, patch and tests written with GitHub Copilot CLI; all changes reviewed, and the reproduction + full test suite run and verified locally by me.