From 294457e76bf43b4c16fa9de89fd5983b4eab9fd5 Mon Sep 17 00:00:00 2001 From: Abhimanyu Saharan Date: Fri, 13 Feb 2026 22:32:06 +0000 Subject: [PATCH] test(skills): expand pack URL validation matrix --- backend/tests/test_skills_marketplace_api.py | 28 ++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/backend/tests/test_skills_marketplace_api.py b/backend/tests/test_skills_marketplace_api.py index c4cfddd..d30dca3 100644 --- a/backend/tests/test_skills_marketplace_api.py +++ b/backend/tests/test_skills_marketplace_api.py @@ -19,6 +19,7 @@ from app.api.gateways import router as gateways_router from app.api.skills_marketplace import ( PackSkillCandidate, _collect_pack_skills_from_repo, + _validate_pack_source_url, router as skills_marketplace_router, ) from app.db.session import get_session @@ -397,6 +398,33 @@ async def test_sync_pack_clones_and_upserts_skills(monkeypatch: pytest.MonkeyPat await engine.dispose() +def test_validate_pack_source_url_allows_https_github_repo_with_optional_dot_git() -> None: + _validate_pack_source_url("https://github.com/org/repo") + _validate_pack_source_url("https://github.com/org/repo.git") + + +@pytest.mark.parametrize( + "url", + [ + "http://github.com/org/repo", + "file:///tmp/repo", + "ssh://github.com/org/repo", + "https://localhost/repo", + "https://127.0.0.1/repo", + "https://[::1]/repo", + ], +) +def test_validate_pack_source_url_rejects_unsafe_urls(url: str) -> None: + with pytest.raises(ValueError): + _validate_pack_source_url(url) + + +def test_validate_pack_source_url_rejects_git_ssh_scp_like_syntax() -> None: + # Not a URL, but worth asserting we fail closed. + with pytest.raises(ValueError): + _validate_pack_source_url("git@github.com:org/repo.git") + + @pytest.mark.asyncio async def test_create_skill_pack_rejects_non_https_source_url() -> None: engine = await _make_engine()