fix: validate redirect URL and reject drive-qualified paths

- Validate final URL after redirects with _validate_catalog_url()
- Reject paths with Path.drive or Path.anchor for Windows safety
- Update FakeResponse mocks with geturl() method

Author: mnriem

src/specify_cli/integrations/catalog.py

@@ -257,6 +257,10 @@ def _fetch_single_catalog(
 
         try:
             with urllib.request.urlopen(entry.url, timeout=10) as resp:
+                # Validate final URL after redirects
+                final_url = resp.geturl()
+                if final_url != entry.url:
+                    self._validate_catalog_url(final_url)
                 catalog_data = json.loads(resp.read())
 
             if not isinstance(catalog_data, dict):
@@ -551,7 +555,7 @@ def _validate(self) -> None:
                 raise IntegrationDescriptorError(
                     "Command entry 'file' must be a non-empty string"
                 )
-            if os.path.isabs(cmd_file) or ".." in Path(cmd_file).parts:
+            if os.path.isabs(cmd_file) or ".." in Path(cmd_file).parts or Path(cmd_file).drive or Path(cmd_file).anchor:
                 raise IntegrationDescriptorError(
                     f"Command entry 'file' must be a relative path without '..': {cmd_file}"
                 )
@@ -560,7 +564,7 @@ def _validate(self) -> None:
                 raise IntegrationDescriptorError(
                     "Script entry must be a non-empty string"
                 )
-            if os.path.isabs(script_entry) or ".." in Path(script_entry).parts:
+            if os.path.isabs(script_entry) or ".." in Path(script_entry).parts or Path(script_entry).drive or Path(script_entry).anchor:
                 raise IntegrationDescriptorError(
                     f"Script entry must be a relative path without '..': {script_entry}"
                 )

tests/integrations/test_integration_catalog.py

@@ -130,20 +130,24 @@ def _patch_urlopen(self, monkeypatch, catalog_data):
         """Patch urllib.request.urlopen to return *catalog_data*."""
 
         class FakeResponse:
-            def __init__(self, data):
+            def __init__(self, data, url=""):
                 self._data = json.dumps(data).encode()
+                self._url = url
 
             def read(self):
                 return self._data
 
+            def geturl(self):
+                return self._url
+
             def __enter__(self):
                 return self
 
             def __exit__(self, *a):
                 pass
 
         def fake_urlopen(url, timeout=10):
-            return FakeResponse(catalog_data)
+            return FakeResponse(catalog_data, url)
 
         import urllib.request
         monkeypatch.setattr(urllib.request, "urlopen", fake_urlopen)
@@ -431,16 +435,19 @@ def test_list_catalog_flag(self, tmp_path, monkeypatch):
         import urllib.request
 
         class FakeResponse:
-            def __init__(self, data):
+            def __init__(self, data, url=""):
                 self._data = json.dumps(data).encode()
+                self._url = url
             def read(self):
                 return self._data
+            def geturl(self):
+                return self._url
             def __enter__(self):
                 return self
             def __exit__(self, *a):
                 pass
 
-        monkeypatch.setattr(urllib.request, "urlopen", lambda url, timeout=10: FakeResponse(catalog))
+        monkeypatch.setattr(urllib.request, "urlopen", lambda url, timeout=10: FakeResponse(catalog, url))
 
         old = os.getcwd()
         try: