From 22be37f70ba50688fe4556ac45f439656ab91169 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Prpi=C4=8D?= <mprpic@redhat.com>
Date: Wed, 8 Apr 2026 15:38:24 -0400
Subject: [PATCH] fix: use proper URL parsing for GitHub API domain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replace substring check with urlparse hostname comparison to prevent
potential bypass via crafted URLs. Resolves CodeQL alert
py/incomplete-url-substring-sanitization (CWE-20):

https://github.com/python-wheel-build/fromager/security/code-scanning/1

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Martin Prpič <mprpic@redhat.com>
---
 src/fromager/http_retry.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/fromager/http_retry.py b/src/fromager/http_retry.py
index 55d8ccb9..10cc86b1 100644
--- a/src/fromager/http_retry.py
+++ b/src/fromager/http_retry.py
@@ -18,6 +18,7 @@
 import random
 import time
 import typing
+from urllib.parse import urlparse
 
 import requests
 from requests.adapters import HTTPAdapter
@@ -156,7 +157,7 @@ def send(
                 if (
                     response.status_code == 403
                     and request.url is not None
-                    and "api.github.com" in request.url
+                    and urlparse(request.url).hostname == "api.github.com"
                     and "rate limit" in response.text.lower()
                 ):
                     self._handle_github_rate_limit(response, attempt, max_attempts)