test(skills): expand pack URL validation matrix

2026-02-13 22:32:06 +00:00
parent cb3aff5bb0
commit 294457e76b
1 changed files with 28 additions and 0 deletions
--- a/backend/tests/test_skills_marketplace_api.py
+++ b/backend/tests/test_skills_marketplace_api.py
@@ -19,6 +19,7 @@ from app.api.gateways import router as gateways_router
 from app.api.skills_marketplace import (
    PackSkillCandidate,
    _collect_pack_skills_from_repo,
+    _validate_pack_source_url,
    router as skills_marketplace_router,
 )
 from app.db.session import get_session
@@ -397,6 +398,33 @@ async def test_sync_pack_clones_and_upserts_skills(monkeypatch: pytest.MonkeyPat
        await engine.dispose()


+def test_validate_pack_source_url_allows_https_github_repo_with_optional_dot_git() -> None:
+    _validate_pack_source_url("https://github.com/org/repo")
+    _validate_pack_source_url("https://github.com/org/repo.git")
+
+
+@pytest.mark.parametrize(
+    "url",
+    [
+        "http://github.com/org/repo",
+        "file:///tmp/repo",
+        "ssh://github.com/org/repo",
+        "https://localhost/repo",
+        "https://127.0.0.1/repo",
+        "https://[::1]/repo",
+    ],
+)
+def test_validate_pack_source_url_rejects_unsafe_urls(url: str) -> None:
+    with pytest.raises(ValueError):
+        _validate_pack_source_url(url)
+
+
+def test_validate_pack_source_url_rejects_git_ssh_scp_like_syntax() -> None:
+    # Not a URL, but worth asserting we fail closed.
+    with pytest.raises(ValueError):
+        _validate_pack_source_url("git@github.com:org/repo.git")
+
+
@pytest.mark.asyncio
 async def test_create_skill_pack_rejects_non_https_source_url() -> None:
    engine = await _make_engine()