fix: enforce strict redirects for catalog downloads

Author: PascalThuet

src/specify_cli/__init__.py

@@ -1027,7 +1027,11 @@ def extension_add(
                     from specify_cli._download_security import read_response_limited as _read_response_limited
                     from specify_cli.authentication.http import open_url as _open_url
 
-                    with _open_url(from_url, timeout=60) as response:
+                    with _open_url(
+                        from_url,
+                        timeout=60,
+                        strict_redirects=True,
+                    ) as response:
                         zip_data = _read_response_limited(
                             response,
                             error_type=ExtensionError,
@@ -2479,6 +2483,7 @@ def _validate_and_install_local(yaml_path: Path, source_label: str) -> None:
     # Try as URL (http/https)
     if source.startswith("http://") or source.startswith("https://"):
         from functools import partial
+        from urllib.parse import urlparse as _urlparse
 
         from specify_cli._download_security import read_response_limited as _read_response_limited
         from specify_cli.authentication.http import open_url as _open_url
@@ -2510,7 +2515,17 @@ def _validate_and_install_local(yaml_path: Path, source_label: str) -> None:
             ) as resp:
                 final_url = resp.geturl()
                 if not is_https_or_localhost_http(final_url):
-                    console.print(f"[red]Error:[/red] URL redirected to non-HTTPS: {final_url}")
+                    final_parsed = _urlparse(final_url)
+                    if not final_parsed.hostname:
+                        console.print(
+                            f"[red]Error:[/red] URL redirected to a URL with no hostname: {final_url}"
+                        )
+                    else:
+                        console.print(
+                            "[red]Error:[/red] URL redirected to a URL without HTTPS "
+                            "(HTTP is allowed only for localhost, 127.0.0.1, and ::1): "
+                            f"{final_url}"
+                        )
                     raise typer.Exit(1)
                 with tempfile.NamedTemporaryFile(suffix=".yml", delete=False) as tmp:
                     tmp.write(
@@ -2587,6 +2602,7 @@ def _validate_and_install_local(yaml_path: Path, source_label: str) -> None:
 
     try:
         from functools import partial
+        from urllib.parse import urlparse as _urlparse
 
         from specify_cli.authentication.http import open_url as _open_url
         from specify_cli._github_http import resolve_github_release_asset_api_url as _resolve_gh_asset
@@ -2613,9 +2629,17 @@ def _validate_and_install_local(yaml_path: Path, source_label: str) -> None:
                 if workflow_dir.exists():
                     import shutil
                     shutil.rmtree(workflow_dir, ignore_errors=True)
-                console.print(
-                    f"[red]Error:[/red] Workflow '{source}' redirected to non-HTTPS URL: {final_url}"
-                )
+                final_parsed = _urlparse(final_url)
+                if not final_parsed.hostname:
+                    console.print(
+                        f"[red]Error:[/red] Workflow '{source}' redirected to a URL with no hostname: {final_url}"
+                    )
+                else:
+                    console.print(
+                        f"[red]Error:[/red] Workflow '{source}' redirected to a URL without HTTPS "
+                        "(HTTP is allowed only for localhost, 127.0.0.1, and ::1): "
+                        f"{final_url}"
+                    )
                 raise typer.Exit(1)
             workflow_file.write_bytes(
                 _read_response_limited(
@@ -3052,20 +3076,28 @@ def workflow_step_add(
     def _safe_fetch(url: str) -> bytes:
         parsed = urlparse(url)
         is_localhost = parsed.hostname in ("localhost", "127.0.0.1", "::1")
-        if parsed.scheme != "https" and not (parsed.scheme == "http" and is_localhost):
-            raise ValueError(f"Refusing to fetch from non-HTTPS URL: {url}")
         if not parsed.hostname:
             raise ValueError(f"Refusing to fetch from URL with no hostname: {url}")
-        with _open_url(url, timeout=30) as resp:
+        if parsed.scheme != "https" and not (parsed.scheme == "http" and is_localhost):
+            raise ValueError(
+                "Refusing to fetch from URL without HTTPS "
+                "(HTTP is allowed only for localhost, 127.0.0.1, and ::1): "
+                f"{url}"
+            )
+        with _open_url(url, timeout=30, strict_redirects=True) as resp:
             final_url = resp.geturl()
             final_parsed = urlparse(final_url)
             final_is_localhost = final_parsed.hostname in ("localhost", "127.0.0.1", "::1")
+            if not final_parsed.hostname:
+                raise ValueError(f"Redirect to URL with no hostname: {final_url}")
             if final_parsed.scheme != "https" and not (
                 final_parsed.scheme == "http" and final_is_localhost
             ):
-                raise ValueError(f"Redirect to non-HTTPS URL: {final_url}")
-            if not final_parsed.hostname:
-                raise ValueError(f"Redirect to URL with no hostname: {final_url}")
+                raise ValueError(
+                    "Redirect to URL without HTTPS "
+                    "(HTTP is allowed only for localhost, 127.0.0.1, and ::1): "
+                    f"{final_url}"
+                )
             return _read_response_limited(resp, label=f"workflow step {url}")
 
     _validate_step_id_or_exit(step_id)

src/specify_cli/catalogs.py

@@ -68,18 +68,18 @@ def _entry(
 
     @classmethod
     def _validate_catalog_url(cls, url: str) -> None:
-        """Validate that a catalog URL uses HTTPS, except localhost HTTP."""
+        """Validate that a catalog URL uses HTTPS, except loopback HTTP."""
         from urllib.parse import urlparse
 
         parsed = urlparse(url)
+        if not parsed.hostname:
+            raise cls._error("Catalog URL must be a valid URL with a host.")
         is_localhost = parsed.hostname in ("localhost", "127.0.0.1", "::1")
         if parsed.scheme != "https" and not (parsed.scheme == "http" and is_localhost):
             raise cls._error(
                 f"Catalog URL must use HTTPS (got {parsed.scheme}://). "
-                "HTTP is only allowed for localhost."
+                "HTTP is only allowed for localhost, 127.0.0.1, and ::1."
             )
-        if not parsed.netloc:
-            raise cls._error("Catalog URL must be a valid URL with a host.")
 
     def _load_catalog_config(self, config_path: Path) -> list[CatalogEntry] | None:
         """Load catalog stack configuration from a YAML file.

src/specify_cli/extensions.py

@@ -1995,14 +1995,20 @@ def _open_url(
         url: str,
         timeout: int = 10,
         extra_headers: Optional[Dict[str, str]] = None,
+        strict_redirects: bool = True,
     ):
         """Open a URL with provider-based auth, trying each configured provider.
 
         Delegates to :func:`specify_cli.authentication.http.open_url`.
         """
         from specify_cli.authentication.http import open_url
 
-        return open_url(url, timeout, extra_headers=extra_headers)
+        return open_url(
+            url,
+            timeout,
+            extra_headers=extra_headers,
+            strict_redirects=strict_redirects,
+        )
 
     def _resolve_github_release_asset_api_url(
         self,
@@ -2220,7 +2226,11 @@ def _fetch_single_catalog(
 
         # Fetch from network
         try:
-            with self._open_url(entry.url, timeout=10) as response:
+            with self._open_url(
+                entry.url,
+                timeout=10,
+                strict_redirects=True,
+            ) as response:
                 catalog_data = json.loads(
                     read_response_limited(
                         response,
@@ -2404,7 +2414,11 @@ def fetch_catalog(self, force_refresh: bool = False) -> Dict[str, Any]:
         try:
             import urllib.error
 
-            with self._open_url(catalog_url, timeout=10) as response:
+            with self._open_url(
+                catalog_url,
+                timeout=10,
+                strict_redirects=True,
+            ) as response:
                 catalog_data = json.loads(
                     read_response_limited(
                         response,
@@ -2562,10 +2576,16 @@ def download_extension(
         from urllib.parse import urlparse
 
         parsed = urlparse(download_url)
+        if not parsed.hostname:
+            raise ExtensionError(
+                f"Extension download URL must be a valid URL with a host: {download_url}"
+            )
         is_localhost = parsed.hostname in ("localhost", "127.0.0.1", "::1")
         if parsed.scheme != "https" and not (parsed.scheme == "http" and is_localhost):
             raise ExtensionError(
-                f"Extension download URL must use HTTPS: {download_url}"
+                "Extension download URL must use HTTPS "
+                "(HTTP is allowed only for localhost, 127.0.0.1, and ::1): "
+                f"{download_url}"
             )
 
         # Determine target path
@@ -2586,7 +2606,10 @@ def download_extension(
         # Download the ZIP file
         try:
             with self._open_url(
-                download_url, timeout=60, extra_headers=extra_headers
+                download_url,
+                timeout=60,
+                extra_headers=extra_headers,
+                strict_redirects=True,
             ) as response:
                 zip_data = read_response_limited(
                     response,

src/specify_cli/presets/__init__.py

@@ -1840,7 +1840,7 @@ def __init__(self, project_root: Path):
         self.cache_metadata_file = self.cache_dir / "catalog-metadata.json"
 
     def _validate_catalog_url(self, url: str) -> None:
-        """Validate that a catalog URL uses HTTPS (localhost HTTP allowed).
+        """Validate that a catalog URL uses HTTPS (loopback HTTP allowed).
 
         Args:
             url: URL to validate
@@ -1851,17 +1851,17 @@ def _validate_catalog_url(self, url: str) -> None:
         from urllib.parse import urlparse
 
         parsed = urlparse(url)
+        if not parsed.hostname:
+            raise PresetValidationError(
+                "Catalog URL must be a valid URL with a host."
+            )
         is_localhost = parsed.hostname in ("localhost", "127.0.0.1", "::1")
         if parsed.scheme != "https" and not (
             parsed.scheme == "http" and is_localhost
         ):
             raise PresetValidationError(
                 f"Catalog URL must use HTTPS (got {parsed.scheme}://). "
-                "HTTP is only allowed for localhost."
-            )
-        if not parsed.netloc:
-            raise PresetValidationError(
-                "Catalog URL must be a valid URL with a host."
+                "HTTP is only allowed for localhost, 127.0.0.1, and ::1."
             )
 
     def _make_request(self, url: str):
@@ -1877,13 +1877,19 @@ def _open_url(
         url: str,
         timeout: int = 10,
         extra_headers: Optional[Dict[str, str]] = None,
+        strict_redirects: bool = True,
     ):
         """Open a URL with provider-based auth, trying each configured provider.
 
         Delegates to :func:`specify_cli.authentication.http.open_url`.
         """
         from specify_cli.authentication.http import open_url
-        return open_url(url, timeout, extra_headers=extra_headers)
+        return open_url(
+            url,
+            timeout,
+            extra_headers=extra_headers,
+            strict_redirects=strict_redirects,
+        )
 
     def _resolve_github_release_asset_api_url(
         self,
@@ -2161,7 +2167,11 @@ def _fetch_single_catalog(self, entry: PresetCatalogEntry, force_refresh: bool =
                 pass
 
         try:
-            with self._open_url(entry.url, timeout=10) as response:
+            with self._open_url(
+                entry.url,
+                timeout=10,
+                strict_redirects=True,
+            ) as response:
                 catalog_data = json.loads(
                     read_response_limited(
                         response,
@@ -2319,7 +2329,11 @@ def fetch_catalog(self, force_refresh: bool = False) -> Dict[str, Any]:
                 pass
 
         try:
-            with self._open_url(catalog_url, timeout=10) as response:
+            with self._open_url(
+                catalog_url,
+                timeout=10,
+                strict_redirects=True,
+            ) as response:
                 catalog_data = json.loads(
                     read_response_limited(
                         response,
@@ -2492,12 +2506,18 @@ def download_pack(
         from urllib.parse import urlparse
 
         parsed = urlparse(download_url)
+        if not parsed.hostname:
+            raise PresetError(
+                f"Preset download URL must be a valid URL with a host: {download_url}"
+            )
         is_localhost = parsed.hostname in ("localhost", "127.0.0.1", "::1")
         if parsed.scheme != "https" and not (
             parsed.scheme == "http" and is_localhost
         ):
             raise PresetError(
-                f"Preset download URL must use HTTPS: {download_url}"
+                "Preset download URL must use HTTPS "
+                "(HTTP is allowed only for localhost, 127.0.0.1, and ::1): "
+                f"{download_url}"
             )
 
         if target_dir is None:
@@ -2515,7 +2535,12 @@ def download_pack(
             extra_headers = {"Accept": "application/octet-stream"}
 
         try:
-            with self._open_url(download_url, timeout=60, extra_headers=extra_headers) as response:
+            with self._open_url(
+                download_url,
+                timeout=60,
+                extra_headers=extra_headers,
+                strict_redirects=True,
+            ) as response:
                 zip_data = read_response_limited(
                     response,
                     error_type=PresetError,

src/specify_cli/workflows/catalog.py

@@ -160,7 +160,7 @@ def __init__(self, project_root: Path) -> None:
     # -- Catalog resolution -----------------------------------------------
 
     def _validate_catalog_url(self, url: str) -> None:
-        """Validate that a catalog URL uses HTTPS (localhost HTTP allowed)."""
+        """Validate that a catalog URL uses HTTPS (loopback HTTP allowed)."""
         from urllib.parse import urlparse
 
         parsed = urlparse(url)
@@ -776,15 +776,15 @@ def _is_cache_path_safe(self) -> bool:
     # -- Catalog resolution -----------------------------------------------
 
     def _validate_catalog_url(self, url: str) -> None:
-        """Validate that a catalog URL uses HTTPS (localhost HTTP allowed)."""
-        if not is_https_or_localhost_http(url):
-            from urllib.parse import urlparse
+        """Validate that a catalog URL uses HTTPS (loopback HTTP allowed)."""
+        from urllib.parse import urlparse
 
-            parsed = urlparse(url)
-            if not parsed.hostname:
-                raise StepValidationError(
-                    "Catalog URL must be a valid URL with a host."
-                )
+        parsed = urlparse(url)
+        if not parsed.hostname:
+            raise StepValidationError(
+                "Catalog URL must be a valid URL with a host."
+            )
+        if not is_https_or_localhost_http(url):
             raise StepValidationError(
                 f"Catalog URL must use HTTPS (got {parsed.scheme}://). "
                 "HTTP is only allowed for localhost, 127.0.0.1, and ::1."

tests/integrations/test_integration_catalog.py

@@ -1072,7 +1072,7 @@ def test_add_catalog_accepts_numeric_string_priority(self, tmp_path, monkeypatch
         ("bad_url", "reason"),
         [
             ("http://insecure.example.com/catalog.json", "HTTPS"),
-            (123, "HTTPS"),
+            (123, "valid URL with a host"),
         ],
     )
     def test_add_catalog_rejects_existing_entry_with_bad_url(