fix(deepseek): use proper URL parsing for azure endpoint detection

Replace substring check `"azure.com" in url` with `urlparse`-based
hostname validation to prevent bypass via crafted URLs (CWE-20).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

libs/partners/deepseek/langchain_deepseek/chat_models.py

@@ -6,6 +6,7 @@ import json
 from collections.abc import Callable, Iterator, Sequence
 from json import JSONDecodeError
 from typing import Any, Literal, TypeAlias, cast
+from urllib.parse import urlparse
 
 import openai
 from langchain_core.callbacks import (
@@ -197,7 +198,8 @@ class ChatDeepSeek(BaseChatOpenAI):
     @property
     def _is_azure_endpoint(self) -> bool:
         """Check if the configured endpoint is an Azure deployment."""
-        return "azure.com" in (self.api_base or "").lower()
+        hostname = urlparse(self.api_base or "").hostname or ""
+        return hostname == "azure.com" or hostname.endswith(".azure.com")
 
     @property
     def _llm_type(self) -> str:

libs/partners/deepseek/tests/unit_tests/test_chat_models.py

@@ -348,6 +348,9 @@ class TestChatDeepSeekAzureToolChoice:
             DEFAULT_API_BASE,
             "https://api.openai.com/v1",
             "https://custom-endpoint.com/api",
+            "https://evil-azure.com/v1",  # hostname bypass attempt
+            "https://notazure.com.evil.com/",  # subdomain bypass attempt
+            "https://example.com/azure.com",  # path bypass attempt
         ]
         for endpoint in non_azure_endpoints:
             llm = ChatDeepSeek(