UrlConstraints(host_required=True) #9898
Description
Initial Checks
- I confirm that I'm using Pydantic V2
Description
From pydantic 2.7.x to pydantic 2.8.x there is a regression in the UrlConstraints that not properly validate the host_required properly.
>>> from pydantic import AnyUrl, BaseModel, UrlConstraints
>>> from typing_extensions import Annotated
>>>
>>>
>>> class Dummy(BaseModel):
... url: Annotated[AnyUrl, UrlConstraints(host_required=True)]
...
>>>
>>> Dummy(url="javascript:alert('pwned')")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/guillaume/.cache/pypoetry/virtualenvs/peyotl-api-HfF0dALa-py3.12/lib/python3.12/site-packages/pydantic/main.py", line 171, in __init__
self.__pydantic_validator__.validate_python(data, self_instance=self)
pydantic_core._pydantic_core.ValidationError: 1 validation error for Dummy
url
Input should be a valid URL, empty host [type=url_parsing, input_value="javascript:alert('pwned')", input_type=str]
For further information visit https://errors.pydantic.dev/2.6/v/url_parsing
>>> from pydantic import ValidationError
>>> try:
... Dummy(url="javascript:alert('pwned')")
... except ValidationError:
... pass
...
>>> Dummy.model_construct(url="javascript:alert('pwned')")
Dummy(url="javascript:alert('pwned')")
with pydantic 2.6.4:
>>> import pytest
>>> from pydantic import AnyUrl, BaseModel, UrlConstraints
>>> from pydantic import ValidationError
>>> from typing_extensions import Annotated
>>>
>>>
>>> class Dummy(BaseModel):
... url: Annotated[AnyUrl, UrlConstraints(host_required=True)]
...
>>>
>>> Dummy(url="javascript:alert('pwned')")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/guillaume/.cache/pypoetry/virtualenvs/peyotl-api-HfF0dALa-py3.12/lib/python3.12/site-packages/pydantic/main.py", line 171, in __init__
self.__pydantic_validator__.validate_python(data, self_instance=self)
pydantic_core._pydantic_core.ValidationError: 1 validation error for Dummy
url
Input should be a valid URL, empty host [type=url_parsing, input_value="javascript:alert('pwned')", input_type=str]
For further information visit https://errors.pydantic.dev/2.6/v/url_parsing
Example Code
import pytest
from pydantic import AnyUrl, BaseModel, UrlConstraints
from pydantic import ValidationError
from typing_extensions import Annotated
class Dummy(BaseModel):
url: Annotated[AnyUrl, UrlConstraints(host_required=True)]
def test_javascript_is_not_an_url():
with pytest.raises(ValidationError):
Dummy(url="javascript:alert('pwned')")Python, Pydantic & OS Version
pydantic version: 2.8.2
pydantic-core version: 2.20.1
pydantic-core build: profile=release pgo=true
install path: /home/guillaume/.cache/pypoetry/virtualenvs/xxx-oGZ-ftSE-py3.12/lib/python3.12/site-packages/pydantic
python version: 3.12.4 (main, Jun 7 2024, 06:33:07) [GCC 14.1.1 20240522]
platform: Linux-6.9.7-arch1-1-x86_64-with-glibc2.39
related packages: typing_extensions-4.7.1
commit: unknown
~