tool_operate: reset the URL --url-query between --next

[bagder]

Pointed out by Codex Security

Verify in test 1624

[bagder]

@aisle-analyzer augment review

[aisle-research-bot]

🔒 Aisle Security Analysis

✅ We scanned this PR and did not find any security vulnerabilities.

_{Aisle supplements but does not replace security review.}

---

Analyzed PR: #20802 at commit 47c8a0f

_{Last updated on: 2026-03-03T18:11:33Z}

[augmentcode]

🤖 Augment PR Summary

Summary: This PR fixes --url-query state leaking across --next transfers by resetting the per-transfer query fields in the tool layer.

Changes:

• Reset `global->state.httpgetfields` at the start of each `single_transfer()` so a prior transfer’s `--url-query` does not carry into the next operation.
• Adjust `single_transfer()` initialization so query state is rebuilt from the current config each time.
• Add new test case test1624 that exercises --url-query + --next and verifies the query is only applied to the first request.
• Register the new test in tests/data/Makefile.am.

Technical Notes: The new test validates that a sensitive query token is not inadvertently reused on the subsequent URL after --next.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 1 suggestions posted.

Comment augment review to trigger a new review at any time.

[testclutch]

Analysis of PR #20802 at 47c8a0f9:

Test 48 failed, which has NOT been flaky recently, so there could be a real issue in this PR. Note that this test has failed in 280 different CI jobs (the link just goes to one of them).

Test 199 failed, which has NOT been flaky recently, so there could be a real issue in this PR. Note that this test has failed in 250 different CI jobs (the link just goes to one of them).

Test 2500 failed, but it has been 60.3% flaky lately, so it's probably NOT a fault of the PR. Note that this test has failed in 2 different CI jobs (the link just goes to one of them). Note that this CI job has had a number of other flaky tests recently (3, to be exact) so it may be that this failure is rather a systemic issue with this job and not with this specific PR.

Generated by Testclutch

[Copilot]

Pull request overview

This PR fixes a state-leak bug in tool_operate where --url-query could incorrectly carry over across --next operations (as flagged by Codex Security), and adds a regression test to ensure query parameters are properly reset between operations.

Changes:

• Move httpgetfields from global State to per-OperationConfig so it does not persist across --next.
• Update URL query appending logic to use config->httpgetfields instead of state->httpgetfields.
• Add test 1624 and register it in the test suite to verify correct behavior.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File	Description
src/tool_operate.c	Switches query-append source from global state to per-operation config, preventing cross---next leakage.
src/tool_cfgable.h	Moves httpgetfields storage to OperationConfig (removes it from State).
tests/data/test1624	New regression test verifying --url-query applies only to the first operation before --next.
tests/data/Makefile.am	Adds test1624 to the test list so it runs in CI.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.