Skip to content

fix(catalogs): raise catalog error, not raw ValueError, on a malformed URL#3435

Merged
mnriem merged 1 commit into
github:mainfrom
Quratulain-bilal:fix/catalog-url-malformed
Jul 10, 2026
Merged

fix(catalogs): raise catalog error, not raw ValueError, on a malformed URL#3435
mnriem merged 1 commit into
github:mainfrom
Quratulain-bilal:fix/catalog-url-malformed

Conversation

@Quratulain-bilal

@Quratulain-bilal Quratulain-bilal commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

fixes #3434

CatalogStackBase._validate_catalog_url read parsed.hostname, which raises ValueError on a malformed authority (unclosed ipv6 bracket https://[::1, bracketed non-ip host https://[not-an-ip]). the method's other reject paths all raise the class catalog error, so the raw ValueError leaked instead of failing cleanly. reachable via specify integration catalog add <url>.

twin of the bundler validator fix (#3432 / #3433).

fix: wrap the parse + hostname access and convert ValueError to the normal error via cls._error, then reuse the parsed hostname for the existing scheme/host checks.

added a regression test (test_malformed_url_rejected_cleanly) covering an unclosed ipv6 bracket and a bracketed non-ip host. i confirmed it fails on the pre-fix code by stashing the source and re-running (raw ValueError leaks); the url-validation suite passes with the fix.

…d URL

CatalogStackBase._validate_catalog_url read parsed.hostname, which raises
ValueError on a malformed authority (e.g. an unclosed ipv6 bracket
"https://[::1"). every other reject path raises the class catalog error, so
the raw ValueError leaked to the caller. wrap the parse + hostname access and
convert ValueError to the normal error via cls._error.

twin of the bundler fix in adapters._validate_remote_url.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes URL validation in the shared catalog stack so malformed authorities (e.g., invalid IPv6 bracket forms) don’t leak a raw ValueError and instead raise the expected catalog error type. This makes specify integration catalog add <url> fail cleanly and consistently with other invalid-URL paths.

Changes:

  • Wrap urlparse() + parsed.hostname access in CatalogStackBase._validate_catalog_url and convert ValueError into cls._error(...).
  • Reuse the parsed hostname value for localhost detection and host presence checks.
  • Add regression coverage for malformed bracketed hosts (unclosed IPv6 bracket, bracketed non-IP host).
Show a summary per file
File Description
src/specify_cli/catalogs.py Converts malformed-URL ValueError into the catalog stack’s normal error type and reuses hostname safely.
tests/integrations/test_integration_catalog.py Adds regression tests ensuring malformed catalog URLs are rejected with IntegrationCatalogError (not a raw ValueError).

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 0
  • Review effort level: Low

@mnriem mnriem merged commit 14fa3ad into github:main Jul 10, 2026
12 checks passed
@mnriem

mnriem commented Jul 10, 2026

Copy link
Copy Markdown
Collaborator

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

catalog url validator leaks raw ValueError on a malformed URL

3 participants