Potential fix for code scanning alert no. 79: Incomplete URL substring sanitization

[rafaelfiguereod-stack]

Potential fix for https://github.com/rafaelfiguereod-stack/claude-code-templates/security/code-scanning/79

Use parsed hostname (parsed.hostname) and validate it with exact match or controlled subdomain rules, instead of substring matching against parsed.netloc or full URL strings.

Best fix in this file:

• In cli-tool/components/skills/scientific/citation-management/scripts/extract_metadata.py, update _parse_url.
• Normalize hostname to lowercase: host = (parsed.hostname or '').lower().
• Replace:
  • if 'doi.org' in parsed.netloc: with if host == 'doi.org':
  • PubMed condition with strict host checks plus optional path check for legacy /pubmed.
  • if 'arxiv.org' in parsed.netloc: with if host == 'arxiv.org' or host.endswith('.arxiv.org'): (safe subdomain handling).
• Keep existing functionality otherwise unchanged (same extraction regexes/returns).

No new dependencies are required.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Summary by CodeRabbit

• Bug Fixes
  • Improved citation metadata extraction accuracy by refining how DOI, PubMed, and arXiv sources are identified from URLs.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 4ff27c08-e546-45b6-a30c-12b23af8c0bf

📥 Commits

Reviewing files that changed from the base of the PR and between 3a2da26 and 1baa0cd.

📒 Files selected for processing (1)

• cli-tool/components/skills/scientific/citation-management/scripts/extract_metadata.py

---

📝 Walkthrough

Walkthrough

The PR refactors URL identifier detection in the MetadataExtractor._parse_url method to use normalized hostname matching instead of substring checks. DOI, PubMed, and arXiv URLs are now routed via exact or subdomain hostname patterns, with unchanged regex-based fallback logic for unmatched URLs.

Changes

URL Identifier Detection Refactoring

Layer / File(s)	Summary
Hostname-based URL Routing cli-tool/components/skills/scientific/citation-management/scripts/extract_metadata.py	The _parse_url method switches to hostname-based routing: doi.org for DOI, pubmed.ncbi.nlm.nih.gov or ncbi.nlm.nih.gov with /pubmed path for PubMed, arxiv.org or *.arxiv.org subdomains for arXiv. Fallback regex-based DOI search and URL return are unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A rabbit hops through hostnames true,
Parsing URLs with each new clue—
DOI, PubMed, arXiv so bright,
Normalized checks make routing right! ✨

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch alert-autofix-79

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

👋 Thanks for contributing, @rafaelfiguereod-stack!

This PR touches cli-tool/components/** and has been marked review-pending.

What happens next

1. 🤖 Automated security audit runs and posts results on this PR.
2. 👀 Maintainer review — a human reviewer validates the component with the component-reviewer agent (format, naming, security, clarity).
3. ✅ Merge — once approved, your PR is merged to main.
4. 📦 Catalog regeneration — the component catalog is rebuilt automatically.
5. 🚀 Live on aitmpl.com — your component appears on the website after deploy.

While you wait

• Check the Security Audit comment below for any issues to fix.
• Make sure your component follows the contribution guide.

This is an automated message. No action is required from you right now — a maintainer will review soon.