You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
test(teams): harden format boundary scan + tighten safe_link_href to upstream parity
Boundary test: replace the substring scan over raw import lines with an
AST-based one that reconstructs the fully-qualified module path each import
statement reaches. The old scan missed the idiomatic split form
`from chat_sdk.adapters.teams import adapter` (the dotted token
`chat_sdk.adapters.teams.adapter` never appears on one side of ` import `),
the most likely circular-import / SDK-pull-in regression. Both
`import <forbidden>` and `from <forbidden> import ...` forms are now caught
for the adapter module, microsoft_teams, and httpx/aiohttp.
safe_link_href: upstream uses `new URL(href).protocol`, which throws (=>
rejected => plain label) for malformed bare-scheme hrefs like `http:` or
`https://`. `urlparse(...).scheme` is lenient and passed those (emitting a
live link). Require a non-empty host for the http/https branch so bare-scheme
http(s) hrefs are rejected to parity; mailto: (no netloc) stays allowed.
Adds regression tests for both.
0 commit comments