Merge pull request #9 from akabarki76/alert-autofix-2

akabarki76 · web-flow · commit b2da0d889194 · 2025-07-10T03:50:47.000+01:00
Potential fix for code scanning alert no. 2: Incomplete URL substring sanitization
diff --git a/packages/core/src/tools/web-fetch.ts b/packages/core/src/tools/web-fetch.ts
@@ -188,10 +188,16 @@ ${textContent}
     // Perform GitHub URL conversion here to differentiate between user-provided
     // URL and the actual URL to be fetched.
     const urls = extractUrls(params.prompt).map((url) => {
-      if (url.includes('github.com') && url.includes('/blob/')) {
-        return url
-          .replace('github.com', 'raw.githubusercontent.com')
-          .replace('/blob/', '/');
+      try {
+        const parsedUrl = new URL(url);
+        if (parsedUrl.hostname === 'github.com' && url.includes('/blob/')) {
+          return url
+            .replace('github.com', 'raw.githubusercontent.com')
+            .replace('/blob/', '/');
+        }
+      } catch (e) {
+        // If URL parsing fails, ignore this URL
+        console.error(`Invalid URL encountered: ${url}`);
       }
       return url;
     });
