Fix code scanning alert no. 111: Incomplete URL substring sanitization (#12305)

Signed-off-by: -LAN- <laipz8200@outlook.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
2025-08-12 20:39:01 +08:00 · 2025-01-02 16:52:43 +08:00 · 2025-01-02 16:52:43 +08:00 · 0e6317678f
commit 0e6317678f
parent e7dffcd0f6
1 changed files with 7 additions and 2 deletions
--- a/api/services/app_dsl_service.py
+++ b/api/services/app_dsl_service.py
@ -2,6 +2,7 @@ import logging
 import uuid
 from enum import StrEnum
 from typing import Optional, cast
+from urllib.parse import urlparse
 from uuid import uuid4

 import yaml  # type: ignore
@ -113,8 +114,12 @@ class AppDslService:
                )
            try:
                max_size = 10 * 1024 * 1024  # 10MB
-                # tricky way to handle url from github to github raw url
-                if yaml_url.startswith("https://github.com") and yaml_url.endswith((".yml", ".yaml")):
+                parsed_url = urlparse(yaml_url)
+                if (
+                    parsed_url.scheme == "https"
+                    and parsed_url.netloc == "github.com"
+                    and parsed_url.path.endswith((".yml", ".yaml"))
+                ):
                    yaml_url = yaml_url.replace("https://github.com", "https://raw.githubusercontent.com")
                    yaml_url = yaml_url.replace("/blob/", "/")
                response = ssrf_proxy.get(yaml_url.strip(), follow_redirects=True, timeout=(10, 10))