Fix GNU sparse skip in safe_extract_tarball; use response.geturl() for redirect-safe format detection and HTTPS re-check

Agent-Logs-Url: https://github.com/github/spec-kit/sessions/739d3f73-200b-417a-8a86-134329200560

Co-authored-by: mnriem <15701806+mnriem@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-05-07 18:53:25 +00:00
committed by GitHub
parent 05798a9e70
commit 1015ff24da
5 changed files with 59 additions and 8 deletions

View File

@@ -2314,13 +2314,16 @@ class PresetCatalog:
version = pack_info.get("version", "unknown")
# Detect archive format from URL; resolve via Content-Type when needed.
# `final_url` may differ from `download_url` if the server redirects.
archive_fmt = detect_archive_format(download_url)
final_url = download_url
try:
with self._open_url(download_url, timeout=60) as response:
final_url = response.geturl()
if not archive_fmt:
content_type = response.headers.get("Content-Type", "")
archive_fmt = detect_archive_format(download_url, content_type)
archive_fmt = detect_archive_format(final_url, content_type)
archive_data = response.read()
except urllib.error.URLError as e:
@@ -2330,6 +2333,16 @@ class PresetCatalog:
except IOError as e:
raise PresetError(f"Failed to read preset archive from {download_url}: {e}")
# Re-validate scheme after any redirect to guard against scheme-downgrade.
_final_parsed = urlparse(final_url)
_final_is_localhost = _final_parsed.hostname in ("localhost", "127.0.0.1", "::1")
if _final_parsed.scheme != "https" and not (
_final_parsed.scheme == "http" and _final_is_localhost
):
raise PresetError(
f"Preset download URL was redirected to a non-HTTPS URL: {final_url}"
)
# Choose file extension based on detected format.
if not archive_fmt:
raise PresetError(