fix(teams): harden graph URL routing per review — fail-closed parse, keep colon paths

Address PR review feedback on the SSRF routing fix:
- Gemini (robustness): wrap urlparse in try/except and fail closed (treat an
  unparseable URL, e.g. a bad IPv6 literal, as absolute so the allowlist rejects
  it) instead of letting urlparse raise out of the function.
- Codex (P2, colon paths): keep routing on `scheme or netloc`. A bare `root:/…`
  segment never joined via urljoin anyway (urljoin sees scheme `root` and returns
  it unchanged), so rejecting it is the safe behavior — routing it to the relative
  branch would attach the Graph token to a malformed `root:` URL. Realistic Graph
  colon paths put the colon AFTER a slash (`me/drive/root:/x:/content`), parse with
  no scheme, and still join onto the trusted base — added a test proving it.

Tests: +malformed-URL-fails-closed, +colon-after-slash-relative-path-joins (19 total).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: claude

src/chat_sdk/adapters/teams/graph/__init__.py

@@ -262,12 +262,17 @@ async def call_teams_graph_api(path_or_url: str, options: TeamsGraphOptions) ->
     # Route on the PARSED form, not a case-sensitive ``startswith("http")`` prefix.
     # ``HTTPS://evil`` (mixed-case scheme) and ``//evil`` (scheme-relative) both slip
     # past a lowercase-prefix test, yet ``urljoin`` still resolves them to an absolute
-    # attacker URL — so the routing diverged from ``is_trusted_graph_url`` and the
-    # Graph token could attach to an untrusted host. Anything ``urlparse`` reads as
-    # having a scheme or a netloc is treated as absolute and forced through the host
-    # allowlist (fail closed); only a truly relative path is joined onto the base.
-    parsed = urlparse(path_or_url)
-    if parsed.scheme or parsed.netloc:
+    # attacker URL — so the routing diverged from ``is_trusted_graph_url`` and the Graph
+    # token could attach to an untrusted host. Anything ``urlparse`` reads as having a
+    # scheme or a netloc is treated as absolute and forced through the host allowlist;
+    # a malformed URL (``urlparse`` raises, e.g. a bad IPv6 literal) fails closed the
+    # same way. Only a truly relative path is joined onto the trusted base.
+    try:
+        parsed = urlparse(path_or_url)
+        is_absolute = bool(parsed.scheme or parsed.netloc)
+    except (ValueError, TypeError):
+        is_absolute = True  # unparseable -> fail closed; the allowlist below rejects it
+    if is_absolute:
         if not is_trusted_graph_url(path_or_url):
             raise ValueError(f"Refusing to call Microsoft Graph API on untrusted host: {path_or_url}")
         url = path_or_url

tests/test_teams_graph_primitive.py

@@ -326,6 +326,32 @@ async def test_rejects_mixed_case_scheme_and_scheme_relative_attacker_urls(self)
                 await paginate_teams_graph(hostile, _opts("p", fetch=request))
             request.assert_not_awaited()
 
+    @pytest.mark.asyncio
+    async def test_malformed_url_fails_closed_without_fetching_a_token(self) -> None:
+        # urlparse raises on some inputs (e.g. a bad IPv6 literal). The router must
+        # fail closed — treat it as absolute and reject via the allowlist — never join
+        # it or fetch a token for it.
+        request = _fetch(_json_response(_TOKEN_BODY))
+        with pytest.raises(ValueError, match="untrusted host"):
+            await paginate_teams_graph("https://[oops", _opts("p", fetch=request))
+        request.assert_not_awaited()
+
+    @pytest.mark.asyncio
+    async def test_colon_in_relative_graph_path_still_joins_onto_the_trusted_base(self) -> None:
+        # A relative Graph segment whose colon falls after a slash (e.g. a OneDrive
+        # ``…/root:/path:/content`` address) parses with no scheme/netloc, so the
+        # parse-based routing still joins it onto the trusted base — it is not
+        # over-rejected as an absolute URL.
+        request = _fetch(_json_response(_TOKEN_BODY), _json_response({"id": "x"}))
+        result = await paginate_teams_graph(
+            "me/drive/root:/Reports/jan.csv:/content", _opts("p", fetch=request)
+        )
+        assert _url(request.await_args_list[1]) == (
+            "https://graph.microsoft.com/v1.0/me/drive/root:/Reports/jan.csv:/content"
+        )
+        assert _headers(request.await_args_list[1])["authorization"] == "Bearer graph-token"
+        assert result == {"id": "x"}
+
     def test_is_trusted_graph_url_allowlist(self) -> None:
         assert is_trusted_graph_url("https://graph.microsoft.com/v1.0/next") is True
         # Wrong scheme, lookalike suffix, foreign host, and parse junk all fail.