Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion scripts/ci/noema_review_gate.py
Original file line number Diff line number Diff line change
Expand Up @@ -295,6 +295,9 @@ def call_llm(repo: str, number: int, pr: dict[str, Any], diff: str, truncated: b
prompt,
],
}
if not (api_url.startswith("http://") or api_url.startswith("https://")):
raise ValueError(f"URL must start with http:// or https://, got: {api_url}")

request = urllib.request.Request(
api_url,
data=json.dumps(payload).encode("utf-8"),
Expand All @@ -304,7 +307,7 @@ def call_llm(repo: str, number: int, pr: dict[str, Any], diff: str, truncated: b
},
method="POST",
)
with urllib.request.urlopen(request, timeout=120) as response:
with urllib.request.urlopen(request, timeout=120) as response: # nosec B310
raw = response.read().decode("utf-8")
data = json.loads(raw)
content = (((data.get("choices") or [{}])[0].get("message") or {}).get("content") or "").strip()
Expand Down
8 changes: 8 additions & 0 deletions tests/test_noema_review_gate.py
Original file line number Diff line number Diff line change
Expand Up @@ -305,3 +305,11 @@ def test_parse_args_and_main(monkeypatch):

with pytest.raises(SystemExit, match="--pr-number must be positive"):
noema.main(["--repo", "owner/repo", "--pr-number", "0"])

def test_call_llm_rejects_unsafe_url_schemes(monkeypatch):
pr = make_pr()
monkeypatch.setenv("NOEMA_LLM_API_URL", "file:///etc/passwd")
monkeypatch.setenv("NOEMA_LLM_API_KEY", "secret")

with pytest.raises(ValueError, match="URL must start with http:// or https://"):
noema.call_llm("owner/repo", 1, pr, "diff", False)
Loading