security: fix incomplete URL sanitization in tests

SckyzO · claude · SckyzO · commit 159bc67b2ce2 · 2026-02-15T05:49:31.000+01:00
Replace unsafe substring check with proper URL parsing in test_url_validation to prevent incomplete URL sanitization. Changes: - Import urllib.parse.urlparse - Parse URL and validate scheme and netloc separately - Ensure hostname is exactly "github.com", not substring This prevents malicious URLs like: - https://evil.com/github.com/malicious - https://github.com.evil.com/ - https://attacker.com?redirect=github.com Fixes CodeQL HIGH severity alert: Incomplete URL substring sanitization. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
diff --git a/tests/test_artifact_schemas.py b/tests/test_artifact_schemas.py
@@ -5,6 +5,7 @@
 """
 
 from datetime import datetime
+from urllib.parse import urlparse
 
 import pytest
 
@@ -397,8 +398,9 @@ def test_url_validation(self):
         ]
 
         for url in valid_urls:
-            assert url.startswith("https://")
-            assert "github.com" in url
+            parsed = urlparse(url)
+            assert parsed.scheme == "https"
+            assert parsed.netloc == "github.com"
 
     def test_sha256_format(self):
         """SHA256 checksums must be valid hex strings."""
