security: fix SSRF vulnerability in URL path parameter replacement

- Add urllib.parse.quote to safely encode path parameters
- Use safe='' to encode all special characters including '/', ':', '@'
- Prevents attackers from injecting malicious hosts or internal service paths
- Applies to both explicit PATH parameters and default path replacement logic

Author: ryoppippi

stackone_ai/models.py

@@ -8,6 +8,7 @@
 from enum import Enum
 from functools import partial
 from typing import Annotated, Any, cast
+from urllib.parse import quote
 
 import requests
 from langchain_core.tools import BaseTool
@@ -147,15 +148,19 @@ def _prepare_request_params(self, kwargs: JsonDict) -> tuple[str, JsonDict, Json
             param_location = self._execute_config.parameter_locations.get(key)
 
             if param_location == ParameterLocation.PATH:
-                url = url.replace(f"{{{key}}}", str(value))
+                # Safely encode path parameters to prevent SSRF attacks
+                encoded_value = quote(str(value), safe="")
+                url = url.replace(f"{{{key}}}", encoded_value)
             elif param_location == ParameterLocation.QUERY:
                 query_params[key] = value
             elif param_location in (ParameterLocation.BODY, ParameterLocation.FILE):
                 body_params[key] = value
             else:
                 # Default behavior
                 if f"{{{key}}}" in url:
-                    url = url.replace(f"{{{key}}}", str(value))
+                    # Safely encode path parameters to prevent SSRF attacks
+                    encoded_value = quote(str(value), safe="")
+                    url = url.replace(f"{{{key}}}", encoded_value)
                 elif self._execute_config.method in {"GET", "DELETE"}:
                     query_params[key] = value
                 else: