Fix incomplete URL substring sanitization in test_custom_url_logged

[Copilot]

Summary

This PR fixes a security vulnerability in the test_custom_url_logged test case where URL validation was performed using substring matching, which could lead to false positives when validating URLs in log messages.

The Problem

The original test used substring matching to verify that a URL appears in log messages:

assert any("https://test.api.com" in msg for msg in log_messages)

This approach is vulnerable to incomplete URL substring sanitization. A malicious URL like https://test.api.com.evil.com would incorrectly pass the test because "https://test.api.com" is a substring of the malicious URL. This is a common security issue when sanitizing URLs, as substring matching doesn't validate the actual URL structure or hostname.

The Solution

The fix implements proper URL validation using urlparse() to extract and validate the hostname:

# Parse the expected URL to extract hostname
parsed_url = urlparse("https://test.api.com")
expected_hostname = parsed_url.hostname

# Extract URLs from log messages and validate exact hostname match
log_messages = [record.message for record in caplog.records]
assert any(
    urlparse(url).hostname == expected_hostname
    for msg in log_messages
    for url in re.findall(r"https?://[^\s]+", msg)
)

This approach:

1. Extracts the expected hostname (test.api.com) from the URL using urlparse()
2. Finds all URLs in log messages using regex pattern r"https?://[^\s]+"
3. Validates that the hostname of any found URL exactly matches the expected hostname

Security Impact

With this fix:

• ✅ https://test.api.com → Accepted (correct hostname)
• ❌ https://test.api.com.evil.com → Rejected (hostname is test.api.com.evil.com)
• ❌ https://evil.test.api.com → Rejected (hostname is evil.test.api.com)

Testing

• All 14 tests in test_config_util.py pass
• Linting (flake8, black) passes
• No breaking changes to existing functionality

Resolves code scanning alert #1: Incomplete URL substring sanitization

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Potential fix for code scanning alert no. 1: Incomplete URL substring sanitization - Coding Agent</issue_title>
<issue_description>To fix the issue, the test should parse the URL using urlparse and validate its hostname before checking its presence in the log messages. This ensures that the URL structure is correct and avoids substring matching errors. Specifically, the test should extract the hostname from the URL and verify that it matches the expected hostname (test.api.com) before proceeding with the log message check.

</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #2

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.