Harden audit tooling and release helpers
Some checks failed
Dependency Audit / dependency-audit (push) Failing after 1m14s
Security Audit / security-audit (push) Failing after 31s

This commit is contained in:
2026-07-11 18:37:51 +02:00
parent 54ab1945ff
commit 342582645b
3 changed files with 87 additions and 12 deletions

View File

@@ -31,7 +31,7 @@ class RepoTarget:
@property
def api_base(self) -> str:
return f"{self.base_url.rstrip('/')}/api/v1"
return f"{validated_http_base_url(self.base_url)}/api/v1"
def repo_root(start: pathlib.Path) -> pathlib.Path:
@@ -80,6 +80,15 @@ def quote_path(value: str) -> str:
return urllib.parse.quote(value, safe="")
def validated_http_base_url(value: str) -> str:
parsed = urllib.parse.urlparse(value.rstrip("/"))
if parsed.scheme not in {"http", "https"} or not parsed.netloc:
raise GiteaError("Gitea URL must use http:// or https:// with a hostname.")
if parsed.username or parsed.password:
raise GiteaError("Gitea URL must not include embedded credentials.")
return urllib.parse.urlunparse((parsed.scheme, parsed.netloc, parsed.path.rstrip("/"), "", "", ""))
class GiteaClient:
def __init__(self, target: RepoTarget, token: str | None) -> None:
self.target = target
@@ -110,7 +119,7 @@ class GiteaClient:
request = urllib.request.Request(url, data=data, headers=headers, method=method)
try:
with urllib.request.urlopen(request, timeout=30) as response:
with urllib.request.urlopen(request, timeout=30) as response: # noqa: S310 - validated Gitea http(s) API URL. # nosemgrep: python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected
payload = response.read().decode("utf-8")
if not payload:
return None