fix: validate URL scheme in build_github_request#2449
Open
ayesha-aziz123 wants to merge 6 commits intogithub:mainfrom
Open
fix: validate URL scheme in build_github_request#2449ayesha-aziz123 wants to merge 6 commits intogithub:mainfrom
ayesha-aziz123 wants to merge 6 commits intogithub:mainfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR improves specify_cli._github_http.build_github_request() by validating the url argument up-front so invalid/empty URLs fail fast with a clear ValueError, rather than surfacing confusing errors from deep inside urllib.
Changes:
- Add early
ValueErrorvalidation for empty/whitespace-only URLs and non-HTTP(S) schemes inbuild_github_request(). - Add a new pytest module covering URL validation and Authorization header behavior for GitHub vs non-GitHub hosts.
Show a summary per file
| File | Description |
|---|---|
src/specify_cli/_github_http.py |
Adds early URL validation before constructing a urllib.request.Request. |
tests/test_github_http.py |
Adds test coverage for URL validation and token-based Authorization header behavior. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 1
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 1
mnriem
requested changes
May 4, 2026
Collaborator
mnriem
left a comment
mnriem
left a comment
There was a problem hiding this comment.
Please address Copilot feedback
Contributor
There was a problem hiding this comment.
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 2
Collaborator
|
Please address Copilot feedback |
Contributor
There was a problem hiding this comment.
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comments suppressed due to low confidence (1)
tests/test_github_http.py:75
- There is trailing whitespace on the blank line here (line appears to contain spaces). Please remove the extra whitespace to avoid lint/format churn.
req = build_github_request("https://github.com/github/spec-kit")
assert req.get_header("Authorization") is None
def test_missing_hostname_raises_value_error(self):
- Files reviewed: 2/2 changed files
- Comments generated: 2
Comment on lines
+35
to
+42
| if not url or not url.strip(): | ||
| raise ValueError("url must not be empty") | ||
| url = url.strip() | ||
| parsed = urlparse(url) | ||
| if parsed.scheme not in {"http", "https"}: | ||
| raise ValueError(f"url must start with http:// or https://, got: {url!r}") | ||
| if not parsed.hostname: | ||
| raise ValueError(f"url must include a hostname, got: {url!r}") |
Comment on lines
+3
to
+9
| import os | ||
| from unittest.mock import patch | ||
| import pytest | ||
|
|
||
| from specify_cli._github_http import ( | ||
| build_github_request, | ||
| ) |
Collaborator
|
Please address Copilot feedback |
ayesha-aziz123
force-pushed
the
fix/validate-url-in-build-github-request
branch
from
4b4360e to
64d2624
Compare
Contributor
Author
|
@mnriem Thanks, I’ve addressed the feedback and updated the PR. CI should be passing now—please take another look. |
Contributor
There was a problem hiding this comment.
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comments suppressed due to low confidence (1)
tests/test_github_http.py:74
- Most existing tests in this repo use pytest’s
monkeypatchfixture for environment variables (e.g., the GitHub token tests intests/test_extensions.py). Usingpatch.dict(os.environ, ...)here is slightly inconsistent and (withoutclear=True) can allow unrelated env vars to leak into the test context. Consider switching these env var tests tomonkeypatch.setenv/delenvfor consistency and isolation.
def test_github_token_added_for_github_host(self):
"""Authorization header is set when GITHUB_TOKEN is present."""
with patch.dict(os.environ, {"GITHUB_TOKEN": "test-token", "GH_TOKEN": ""}):
req = build_github_request("https://github.com/github/spec-kit")
assert req.get_header("Authorization") == "Bearer test-token"
def test_gh_token_used_as_fallback(self):
"""GH_TOKEN is used when GITHUB_TOKEN is absent."""
with patch.dict(os.environ, {"GITHUB_TOKEN": "", "GH_TOKEN": "fallback-token"}):
req = build_github_request("https://github.com/github/spec-kit")
assert req.get_header("Authorization") == "Bearer fallback-token"
def test_no_auth_header_for_non_github_host(self):
"""Authorization header must NOT be set for non-GitHub URLs."""
with patch.dict(os.environ, {"GITHUB_TOKEN": "test-token"}):
req = build_github_request("https://example.com/file")
assert req.get_header("Authorization") is None
def test_no_auth_header_when_no_token(self):
"""No Authorization header when no token is set in environment."""
with patch.dict(os.environ, {}, clear=True):
req = build_github_request("https://github.com/github/spec-kit")
assert req.get_header("Authorization") is None
- Files reviewed: 2/2 changed files
- Comments generated: 2
Comment on lines
+40
to
+43
| if not url or not url.strip(): | ||
| raise ValueError("url must not be empty") | ||
| url = url.strip() | ||
| parsed = urlparse(url) |
Comment on lines
+13
to
+14
| class TestBuildGithubRequest: | ||
| """Tests for build_github_request() URL validation and auth handling.""" |
Collaborator
|
Please address Copilot feedback |
Contributor
Author
|
Addressed all Copilot feedback. Ready for re-review. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
build_github_request()accepted any string as aurlparameter andpassed it directly to
urllib.request.Request(). When an empty stringor a non-HTTP URL was passed, the error originated deep inside urllib
with a confusing message (
unknown url type: '') rather than at thecall site with a clear explanation.
This PR adds early validation that raises a descriptive
ValueErrorbefore the request object is constructed.
Changes
ValueError("url must not be empty")whenurlis empty or whitespace-onlyValueErrorwhenurldoes not start withhttp://orhttps://tests/test_github_http.pycovering URL validation and auth header behaviourCloses
Fixes the confusing
unknown url typeerror raised by urllib internalswhen an invalid URL is passed to
build_github_request().Testing
uv run python -m pytest tests/test_github_http.py -v # 10 passed in 0.90sAI Disclosure
I used Claude (Anthropic) to help identify this issue via static analysis of the repository.
The fix and tests were manually verified and applied by me.