fix(url-safety): allow only http and https schemes

2026-05-18 04:41:56 +00:00 · 2026-03-24 13:45:33 +03:00 · 2026-03-24 13:45:33 +03:00 · 6af9942327
commit 6af9942327
parent 8373956850
2 changed files with 11 additions and 0 deletions
--- a/tests/tools/test_url_safety.py
+++ b/tests/tools/test_url_safety.py
@ -22,6 +22,14 @@ class TestIsSafeUrl:
        ]):
            assert is_safe_url("https://example.com/image.png") is True

+    def test_ftp_scheme_blocked(self):
+        """Only http/https should be allowed for fetch tools."""
+        assert is_safe_url("ftp://example.com/file.txt") is False
+
+    def test_missing_scheme_blocked(self):
+        """Bare host/path should be rejected to avoid ambiguous handling."""
+        assert is_safe_url("example.com/path") is False
+
    def test_localhost_blocked(self):
        with patch("socket.getaddrinfo", return_value=[
            (2, 1, 6, "", ("127.0.0.1", 0)),