fix(web-search): validate base URLs against endpoint paths and expand Exa search types

- Reject specific API endpoint paths (e.g., /search, /extract) in base URL
  normalization via new disallowed_path_suffixes parameter to prevent
  misconfiguration errors
- Add deep-lite and deep-reasoning to valid Exa search types and normalize
  search_type input before validation
- Add missing config parameter to BochaWebSearchTool builtin_tool decorator
  so provider status checks are properly registered

Author: piexian

astrbot/core/knowledge_base/parsers/url_parser.py

@@ -28,6 +28,7 @@ def __init__(
             tavily_base_url,
             default="https://api.tavily.com",
             provider_name="Tavily",
+            disallowed_path_suffixes=("search", "extract"),
         )
 
     async def _get_tavily_key(self) -> str:

astrbot/core/tools/web_search_tools.py

@@ -46,6 +46,15 @@
     "provider_settings.web_search": True,
     "provider_settings.websearch_provider": "exa",
 }
+_EXA_SEARCH_TYPES = (
+    "auto",
+    "fast",
+    "deep",
+    "deep-lite",
+    "deep-reasoning",
+    "instant",
+    "neural",
+)
 
 
 @std_dataclass
@@ -149,6 +158,7 @@ def _get_tavily_base_url(provider_settings: dict) -> str:
         provider_settings.get("websearch_tavily_base_url"),
         default="https://api.tavily.com",
         provider_name="Tavily",
+        disallowed_path_suffixes=("search", "extract"),
     )
 
 
@@ -157,6 +167,7 @@ def _get_exa_base_url(provider_settings: dict) -> str:
         provider_settings.get("websearch_exa_base_url"),
         default="https://api.exa.ai",
         provider_name="Exa",
+        disallowed_path_suffixes=("search", "contents", "findSimilar"),
     )
 
 
@@ -645,7 +656,7 @@ class ExaWebSearchTool(FunctionTool[AstrAgentContext]):
                 },
                 "search_type": {
                     "type": "string",
-                    "description": 'Optional. Search type. Must be one of "auto", "neural", "fast", "instant", "deep". Default is "auto".',
+                    "description": 'Optional. Search type. Must be one of "auto", "fast", "deep", "deep-lite", "deep-reasoning", "instant", "neural". Default is "auto".',
                 },
                 "category": {
                     "type": "string",
@@ -665,8 +676,8 @@ async def call(self, context, **kwargs) -> ToolExecResult:
         if not provider_settings.get("websearch_exa_key", []):
             return "Error: Exa API key is not configured in AstrBot."
 
-        search_type = kwargs.get("search_type", "auto")
-        if search_type not in ("auto", "neural", "fast", "instant", "deep"):
+        search_type = str(kwargs.get("search_type", "auto")).strip().lower()
+        if search_type not in _EXA_SEARCH_TYPES:
             search_type = "auto"
 
         max_results = max(1, min(int(kwargs.get("max_results", 10)), 100))
@@ -794,7 +805,7 @@ async def call(self, context, **kwargs) -> ToolExecResult:
         return _search_result_payload(results)
 
 
-@builtin_tool
+@builtin_tool(config=_BOCHA_WEB_SEARCH_TOOL_CONFIG)
 @pydantic_dataclass
 class BochaWebSearchTool(FunctionTool[AstrAgentContext]):
     name: str = "web_search_bocha"

astrbot/core/utils/web_search_utils.py

@@ -18,6 +18,7 @@ def normalize_web_search_base_url(
     *,
     default: str,
     provider_name: str,
+    disallowed_path_suffixes: tuple[str, ...] = (),
 ) -> str:
     normalized = (base_url or "").strip()
     if not normalized:
@@ -30,6 +31,18 @@ def normalize_web_search_base_url(
             f"Error: {provider_name} API Base URL must start with http:// or "
             f"https://. Proxy base paths are allowed. Received: {normalized!r}.",
         )
+
+    last_path_segment = parsed.path.rstrip("/").rsplit("/", 1)[-1].lower()
+    invalid_suffixes = {
+        suffix.strip("/").lower()
+        for suffix in disallowed_path_suffixes
+        if suffix and suffix.strip("/")
+    }
+    if last_path_segment and last_path_segment in invalid_suffixes:
+        raise ValueError(
+            f"Error: {provider_name} API Base URL must be a base URL or proxy "
+            f"prefix, not a specific endpoint path. Received: {normalized!r}.",
+        )
     return normalized
 
 

tests/unit/test_web_search_tools.py

@@ -0,0 +1,112 @@
+from types import SimpleNamespace
+
+import pytest
+
+import astrbot.core.tools.registry as tool_registry
+import astrbot.core.tools.web_search_tools as web_search_tools
+from astrbot.core.knowledge_base.parsers.url_parser import URLExtractor
+from astrbot.core.tools.web_search_tools import ExaWebSearchTool
+
+
+def _make_tool_context(provider_settings: dict) -> SimpleNamespace:
+    cfg = {"provider_settings": provider_settings}
+    return SimpleNamespace(
+        context=SimpleNamespace(
+            context=SimpleNamespace(get_config=lambda umo=None: cfg),
+            event=SimpleNamespace(unified_msg_origin="test:private:session"),
+        )
+    )
+
+
+@pytest.mark.asyncio
+@pytest.mark.parametrize(
+    ("search_type", "expected"),
+    [
+        ("deep-lite", "deep-lite"),
+        ("deep-reasoning", "deep-reasoning"),
+        ("instant", "instant"),
+        ("unsupported", "auto"),
+    ],
+)
+async def test_exa_web_search_tool_normalizes_search_type(
+    monkeypatch: pytest.MonkeyPatch,
+    search_type: str,
+    expected: str,
+):
+    captured: dict[str, object] = {}
+
+    async def fake_exa_search(provider_settings: dict, payload: dict, timeout: int):
+        captured["provider_settings"] = provider_settings
+        captured["payload"] = payload
+        captured["timeout"] = timeout
+        return []
+
+    monkeypatch.setattr(web_search_tools, "_exa_search", fake_exa_search)
+
+    tool = ExaWebSearchTool()
+    result = await tool.call(
+        _make_tool_context({"websearch_exa_key": ["test-key"]}),
+        query="AstrBot",
+        search_type=search_type,
+    )
+
+    assert result == "Error: Exa web searcher does not return any results."
+    assert captured["payload"]["type"] == expected
+
+
+def test_get_exa_base_url_rejects_endpoint_path():
+    with pytest.raises(ValueError) as exc_info:
+        web_search_tools._get_exa_base_url(
+            {"websearch_exa_base_url": "https://api.exa.ai/search"}
+        )
+
+    assert str(exc_info.value) == (
+        "Error: Exa API Base URL must be a base URL or proxy prefix, "
+        "not a specific endpoint path. Received: 'https://api.exa.ai/search'."
+    )
+
+
+def test_url_extractor_rejects_endpoint_base_url():
+    with pytest.raises(ValueError) as exc_info:
+        URLExtractor(
+            ["test-key"],
+            tavily_base_url="https://api.tavily.com/extract",
+        )
+
+    assert str(exc_info.value) == (
+        "Error: Tavily API Base URL must be a base URL or proxy prefix, "
+        "not a specific endpoint path. Received: 'https://api.tavily.com/extract'."
+    )
+
+
+def test_bocha_builtin_config_statuses_are_registered():
+    rule = tool_registry._BUILTIN_TOOL_CONFIG_RULES.get("web_search_bocha")
+
+    assert rule is not None
+    statuses = rule.evaluate(
+        {
+            "provider_settings": {
+                "web_search": True,
+                "websearch_provider": "bocha",
+            }
+        }
+    )
+
+    assert statuses == [
+        {
+            "key": "provider_settings.web_search",
+            "operator": "equals",
+            "expected": True,
+            "actual": True,
+            "matched": True,
+            "message": None,
+        },
+        {
+            "key": "provider_settings.websearch_provider",
+            "operator": "equals",
+            "expected": "bocha",
+            "actual": "bocha",
+            "matched": True,
+            "message": None,
+        }
+    ]

tests/unit/test_web_search_utils.py

@@ -121,7 +121,6 @@ def test_normalize_web_search_base_url_reports_invalid_value(
     [
         (" https://api.exa.ai/ ", "https://api.exa.ai"),
         ("https://proxy.example.com/exa/", "https://proxy.example.com/exa"),
-        ("https://api.exa.ai/search", "https://api.exa.ai/search"),
     ],
 )
 def test_normalize_web_search_base_url_accepts_proxy_paths(
@@ -134,3 +133,40 @@ def test_normalize_web_search_base_url_accepts_proxy_paths(
     )
 
     assert normalized == expected
+
+
+@pytest.mark.parametrize(
+    ("base_url", "provider_name", "disallowed_path_suffixes", "expected_message"),
+    [
+        (
+            "https://api.exa.ai/search",
+            "Exa",
+            ("search", "contents", "findSimilar"),
+            "Error: Exa API Base URL must be a base URL or proxy prefix, "
+            "not a specific endpoint path. Received: 'https://api.exa.ai/search'.",
+        ),
+        (
+            "https://api.tavily.com/extract",
+            "Tavily",
+            ("search", "extract"),
+            "Error: Tavily API Base URL must be a base URL or proxy prefix, "
+            "not a specific endpoint path. Received: "
+            "'https://api.tavily.com/extract'.",
+        ),
+    ],
+)
+def test_normalize_web_search_base_url_rejects_endpoint_paths(
+    base_url: str,
+    provider_name: str,
+    disallowed_path_suffixes: tuple[str, ...],
+    expected_message: str,
+):
+    with pytest.raises(ValueError) as exc_info:
+        normalize_web_search_base_url(
+            base_url,
+            default="https://api.exa.ai",
+            provider_name=provider_name,
+            disallowed_path_suffixes=disallowed_path_suffixes,
+        )
+
+    assert str(exc_info.value) == expected_message