Skip to content

fix(bundler): reject host-less catalog URLs in adapters (use hostname, not netloc)#3333

Open
Quratulain-bilal wants to merge 1 commit into
github:mainfrom
Quratulain-bilal:fix/adapters-hostless-url
Open

fix(bundler): reject host-less catalog URLs in adapters (use hostname, not netloc)#3333
Quratulain-bilal wants to merge 1 commit into
github:mainfrom
Quratulain-bilal:fix/adapters-hostless-url

Conversation

@Quratulain-bilal

@Quratulain-bilal Quratulain-bilal commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

fixes #3332

what

_validate_remote_url in bundler/services/adapters.py guarded on parsed.netloc, which is truthy for host-less URLs (https://:8080, https://user@) even though they carry no host — so they passed the "must be a valid URL with a host" check. the docstring says it mirrors specify_cli.catalogs validation, but that site was fixed to use hostname in #3210/#3227 and this twin was missed.

how

check parsed.hostname (None for host-less URLs) instead of parsed.netloc, matching catalogs.py. this guard runs before any network call, so it's a pre-flight safety check.

reproduction (fixed)

_validate_remote_url("team", "https://:8080")   # before: accepted -> after: rejected
_validate_remote_url("team", "https://user@")   # before: accepted -> after: rejected
_validate_remote_url("team", "https://example.com:8080/c.json")  # still accepted

tests

added parametrized regression tests for the host-less forms (https://:8080, https://:0, https://user@, https://user:pw@, https://:8080/catalog.json) plus a valid host+port sanity case. verified they fail on the current code and pass with the fix; the full adapters test file pas

…, not netloc)

_validate_remote_url in bundler/services/adapters.py guarded on parsed.netloc,
which is truthy for host-less URLs like "https://:8080" or "https://user@" even
though they carry no host. so those passed the "must be a valid URL with a host"
check. its docstring says it mirrors specify_cli.catalogs validation, but that
site was already fixed to use hostname in github#3210/github#3227 and this twin was missed.

switch to parsed.hostname (None for host-less URLs), matching catalogs.py. this
guard runs before any network call, so it is a pre-flight safety check.

add parametrized regression tests for the host-less forms plus a valid
host+port sanity case.
@Quratulain-bilal Quratulain-bilal requested a review from mnriem as a code owner July 4, 2026 12:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Bug: bundler adapters accept host-less catalog URLs (https://:8080), unlike catalogs.py

1 participant