harden: reject hostless URLs in is_https_or_localhost_http

PascalThuet · PascalThuet · commit f3a3b5bb3e55 · 2026-06-12T14:11:37.000+02:00
A URL without a hostname (e.g. https:///x) has no real target; reject it
regardless of scheme. Folds main's hostless-HTTPS guard into the shared
predicate so every download/redirect call site benefits.
diff --git a/src/specify_cli/_download_security.py b/src/specify_cli/_download_security.py
@@ -42,13 +42,18 @@ def is_https_or_localhost_http(url: str) -> bool:
     by the direct URL validations in the CLI download flows, so the rule (and
     any future tightening of it) lives in one place.
 
+    A hostname is always required: a URL without one (e.g. ``https:///x``)
+    has no real target and is rejected regardless of scheme.
+
     The loopback allowance is a deliberate *exact-string* match on
     ``localhost`` / ``127.0.0.1`` / ``::1``, not an IP-range check: other
     loopback addresses (e.g. ``127.0.0.2``) are intentionally not covered.
     ``urlparse`` already lower-cases the hostname, so the comparison is
     case-insensitive.
     """
     parsed = urlparse(url)
+    if not parsed.hostname:
+        return False
     is_localhost = parsed.hostname in ("localhost", "127.0.0.1", "::1")
     return parsed.scheme == "https" or (parsed.scheme == "http" and is_localhost)
 
diff --git a/tests/test_download_security.py b/tests/test_download_security.py
@@ -10,6 +10,7 @@
 import pytest
 
 from specify_cli._download_security import (
+    is_https_or_localhost_http,
     read_response_limited,
     read_zip_member_limited,
     safe_extract_zip,
@@ -25,6 +26,26 @@
 }
 
 
+@pytest.mark.parametrize(
+    "url, allowed",
+    [
+        ("https://example.com/preset.zip", True),
+        ("http://localhost:8000/preset.zip", True),
+        ("http://127.0.0.1/preset.zip", True),
+        ("http://[::1]/preset.zip", True),
+        # Non-loopback HTTP is rejected.
+        ("http://example.com/preset.zip", False),
+        # Loopback allowance is an exact-string match: 127.0.0.2 is not covered.
+        ("http://127.0.0.2/preset.zip", False),
+        # A hostname is always required, even for HTTPS.
+        ("https:///preset.zip", False),
+        ("https://", False),
+    ],
+)
+def test_is_https_or_localhost_http(url, allowed):
+    assert is_https_or_localhost_http(url) is allowed
+
+
 class _Response:
     """Faithful stream stand-in: read() advances a cursor and returns b"" at EOF."""
 
