tests/security/test_sample_config_urls.py

import unittest
from pathlib import Path

import yaml

ALLOWED_URL_PREFIXES = ("https://", "mailto:", "tel:")
URL_KEYS = {"url", "imprint", "imprint_url"}


class TestSampleConfigUrls(unittest.TestCase):
    def setUp(self) -> None:
        repo_root = Path(__file__).resolve().parents[2]
        sample_config_path = repo_root / "app" / "config.sample.yaml"
        with sample_config_path.open("r", encoding="utf-8") as handle:
            self.sample_config = yaml.safe_load(handle)

    def _iter_urls(self, data, path="root"):
        if isinstance(data, dict):
            for key, value in data.items():
                next_path = f"{path}.{key}"
                if key in URL_KEYS and isinstance(value, str):
                    yield next_path, value
                yield from self._iter_urls(value, next_path)
        elif isinstance(data, list):
            for index, item in enumerate(data):
                yield from self._iter_urls(item, f"{path}[{index}]")

    def test_sample_config_urls_use_safe_schemes(self):
        invalid_urls = [
            f"{path} -> {url}"
            for path, url in self._iter_urls(self.sample_config)
            if not url.startswith(ALLOWED_URL_PREFIXES)
        ]

        self.assertFalse(
            invalid_urls,
            "The sample config contains URLs with unsupported schemes:\n"
            + "\n".join(f"- {entry}" for entry in invalid_urls),
        )


if __name__ == "__main__":
    unittest.main()
feat: migrate to pyproject.toml, add test suites, split CI workflows - Replace requirements.txt with pyproject.toml for modern Python packaging - Add unit, integration, lint and security test suites under tests/ - Add utils/export_runtime_requirements.py and utils/check_hadolint_sarif.py - Split monolithic CI into reusable lint.yml, security.yml and tests.yml - Refactor ci.yml to orchestrate reusable workflows; publish on semver tag only - Modernize Dockerfile: pin python:3.12-slim, install via pyproject.toml - Expand Makefile with lint, security, test and CI targets - Add test-e2e via act with portfolio container stop/start around run - Fix navbar_logo_visibility.spec.js: win.fullscreen() → win.enterFullscreen() - Set use_reloader=False in app.run() to prevent double-start in CI - Add app/core.* and build artifacts to .gitignore - Fix apt-get → sudo apt-get in tests.yml e2e job - Fix pip install --ignore-installed to handle stale act cache Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-03-29 23:03:09 +02:00			`import unittest`
			`from pathlib import Path`

			`import yaml`

			`ALLOWED_URL_PREFIXES = ("https://", "mailto:", "tel:")`
			`URL_KEYS = {"url", "imprint", "imprint_url"}`


			`class TestSampleConfigUrls(unittest.TestCase):`
			`def setUp(self) -> None:`
			`repo_root = Path(__file__).resolve().parents[2]`
			`sample_config_path = repo_root / "app" / "config.sample.yaml"`
			`with sample_config_path.open("r", encoding="utf-8") as handle:`
			`self.sample_config = yaml.safe_load(handle)`

			`def _iter_urls(self, data, path="root"):`
			`if isinstance(data, dict):`
			`for key, value in data.items():`
			`next_path = f"{path}.{key}"`
			`if key in URL_KEYS and isinstance(value, str):`
			`yield next_path, value`
			`yield from self._iter_urls(value, next_path)`
			`elif isinstance(data, list):`
			`for index, item in enumerate(data):`
			`yield from self._iter_urls(item, f"{path}[{index}]")`

			`def test_sample_config_urls_use_safe_schemes(self):`
			`invalid_urls = [`
			`f"{path} -> {url}"`
			`for path, url in self._iter_urls(self.sample_config)`
			`if not url.startswith(ALLOWED_URL_PREFIXES)`
			`]`

			`self.assertFalse(`
			`invalid_urls,`
			`"The sample config contains URLs with unsupported schemes:\n"`
			`+ "\n".join(f"- {entry}" for entry in invalid_urls),`
			`)`


			`if __name__ == "__main__":`
			`unittest.main()`