From 0e6317678f1c7ad020c825c63f4dba50a2eb9d55 Mon Sep 17 00:00:00 2001
From: -LAN- <laipz8200@outlook.com>
Date: Thu, 2 Jan 2025 16:52:43 +0800
Subject: [PATCH] Fix code scanning alert no. 111: Incomplete URL substring
 sanitization (#12305)

Signed-off-by: -LAN- <laipz8200@outlook.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 api/services/app_dsl_service.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/api/services/app_dsl_service.py b/api/services/app_dsl_service.py
index b6d6d05e58..2c4fbe1a59 100644
--- a/api/services/app_dsl_service.py
+++ b/api/services/app_dsl_service.py
@@ -2,6 +2,7 @@ import logging
 import uuid
 from enum import StrEnum
 from typing import Optional, cast
+from urllib.parse import urlparse
 from uuid import uuid4
 
 import yaml  # type: ignore
@@ -113,8 +114,12 @@ class AppDslService:
                 )
             try:
                 max_size = 10 * 1024 * 1024  # 10MB
-                # tricky way to handle url from github to github raw url
-                if yaml_url.startswith("https://github.com") and yaml_url.endswith((".yml", ".yaml")):
+                parsed_url = urlparse(yaml_url)
+                if (
+                    parsed_url.scheme == "https"
+                    and parsed_url.netloc == "github.com"
+                    and parsed_url.path.endswith((".yml", ".yaml"))
+                ):
                     yaml_url = yaml_url.replace("https://github.com", "https://raw.githubusercontent.com")
                     yaml_url = yaml_url.replace("/blob/", "/")
                 response = ssrf_proxy.get(yaml_url.strip(), follow_redirects=True, timeout=(10, 10))