From 98da920a83a8f792a2855cca76972231e618777d Mon Sep 17 00:00:00 2001 From: Eduard van Valkenburg Date: Mon, 17 Nov 2025 14:51:03 +0100 Subject: [PATCH 1/3] Potential fix for code scanning alert no. 29: Incomplete URL substring sanitization Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .../devui/agent_framework_devui/_deployment.py | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/python/packages/devui/agent_framework_devui/_deployment.py b/python/packages/devui/agent_framework_devui/_deployment.py index e1cf1d5c3d..1693600108 100644 --- a/python/packages/devui/agent_framework_devui/_deployment.py +++ b/python/packages/devui/agent_framework_devui/_deployment.py @@ -7,6 +7,7 @@ import re import secrets import uuid +from urllib.parse import urlparse from collections.abc import AsyncGenerator from datetime import datetime, timezone from pathlib import Path @@ -467,11 +468,16 @@ async def _deploy_to_azure( await event_queue.put( DeploymentEvent(type="deploy.progress", message=f"Docker build: {line_text}") ) - elif "https://" in line_text and ".azurecontainerapps.io" in line_text: - # Deployment URL detected - await event_queue.put( - DeploymentEvent(type="deploy.progress", message="Deployment URL generated!") - ) + elif "https://" in line_text: + # Try to extract all URLs and check if any is on azurecontainerapps.io + urls = re.findall(r'https://[^\s]+', line_text) + for url in urls: + host = urlparse(url).hostname + if host and (host == "azurecontainerapps.io" or host.endswith(".azurecontainerapps.io")): + await event_queue.put( + DeploymentEvent(type="deploy.progress", message="Deployment URL generated!") + ) + break # Wait for process to complete return_code = await process.wait() From ec55d03c87a2b2d6d3776adc2f472c428dc38740 Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Tue, 18 Nov 2025 11:35:33 +0100 Subject: [PATCH 2/3] Python: Fix URL parsing to handle trailing punctuation in deployment progress detection (#2296) * Initial plan * Fix URL parsing to handle trailing punctuation correctly Co-authored-by: eavanvalkenburg <13749212+eavanvalkenburg@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: eavanvalkenburg <13749212+eavanvalkenburg@users.noreply.github.com> --- python/packages/devui/agent_framework_devui/_deployment.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/python/packages/devui/agent_framework_devui/_deployment.py b/python/packages/devui/agent_framework_devui/_deployment.py index 1693600108..eaf40e4c45 100644 --- a/python/packages/devui/agent_framework_devui/_deployment.py +++ b/python/packages/devui/agent_framework_devui/_deployment.py @@ -470,9 +470,11 @@ async def _deploy_to_azure( ) elif "https://" in line_text: # Try to extract all URLs and check if any is on azurecontainerapps.io - urls = re.findall(r'https://[^\s]+', line_text) + urls = re.findall(r'https://[^\s<>"]+', line_text) for url in urls: - host = urlparse(url).hostname + # Strip common trailing punctuation to ensure clean URL parsing + url_clean = url.rstrip('.,;:!?\'")}]') + host = urlparse(url_clean).hostname if host and (host == "azurecontainerapps.io" or host.endswith(".azurecontainerapps.io")): await event_queue.put( DeploymentEvent(type="deploy.progress", message="Deployment URL generated!") From 0a89f34032f54bacba6bae0836a4c13f3e11090e Mon Sep 17 00:00:00 2001 From: eavanvalkenburg Date: Tue, 18 Nov 2025 11:49:28 +0100 Subject: [PATCH 3/3] updated lock --- python/packages/devui/agent_framework_devui/_deployment.py | 4 ++-- python/uv.lock | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/python/packages/devui/agent_framework_devui/_deployment.py b/python/packages/devui/agent_framework_devui/_deployment.py index eaf40e4c45..45f99a315a 100644 --- a/python/packages/devui/agent_framework_devui/_deployment.py +++ b/python/packages/devui/agent_framework_devui/_deployment.py @@ -7,10 +7,10 @@ import re import secrets import uuid -from urllib.parse import urlparse from collections.abc import AsyncGenerator from datetime import datetime, timezone from pathlib import Path +from urllib.parse import urlparse from .models._discovery_models import Deployment, DeploymentConfig, DeploymentEvent @@ -473,7 +473,7 @@ async def _deploy_to_azure( urls = re.findall(r'https://[^\s<>"]+', line_text) for url in urls: # Strip common trailing punctuation to ensure clean URL parsing - url_clean = url.rstrip('.,;:!?\'")}]') + url_clean = url.rstrip(".,;:!?'\")}]") host = urlparse(url_clean).hostname if host and (host == "azurecontainerapps.io" or host.endswith(".azurecontainerapps.io")): await event_queue.put( diff --git a/python/uv.lock b/python/uv.lock index f0657d5f68..a9a0e9592d 100644 --- a/python/uv.lock +++ b/python/uv.lock @@ -190,7 +190,7 @@ requires-dist = [ [[package]] name = "agent-framework-ag-ui" -version = "1.0.0b251114" +version = "1.0.0b251117" source = { editable = "packages/ag-ui" } dependencies = [ { name = "ag-ui-protocol", marker = "sys_platform == 'darwin' or sys_platform == 'linux' or sys_platform == 'win32'" },