mirror of https://github.com/hwchase17/langchain.git synced 2026-03-18 02:53:16 +00:00

Files

John Kennedy 6335968237 fix(deepseek): use proper URL parsing for azure endpoint detection (#35455 )

## Summary

- Fixes [CodeQL alert
#43](https://github.com/langchain-ai/langchain/security/code-scanning/43)
(CWE-20: incomplete URL substring sanitization)
- Replaces `"azure.com" in url` substring check with `urlparse`-based
hostname validation to prevent bypass via crafted URLs (e.g.,
`https://evil-azure.com`, `https://example.com/azure.com`)
- Adds bypass-attempt test cases to the existing Azure endpoint
detection tests

## Why

The substring check `"azure.com" in url` matches URLs where `azure.com`
appears anywhere in the string, not just in the hostname. An
attacker-controlled endpoint like `https://evil-azure.com` or
`https://example.com/azure.com` would incorrectly trigger the Azure code
path. Using `urlparse` to extract and validate the hostname is the
standard fix per CodeQL guidance.

## Test plan

- [x] Existing Azure endpoint detection tests pass
- [x] New negative test cases for bypass attempts pass
- [x] `uv run pytest tests/unit_tests/test_chat_models.py -k azure` —
6/6 passing

> [!NOTE]
> This PR was authored with assistance from an AI agent (Claude Code).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-01 12:14:48 -05:00

core

chore: bump the langchain-deps group across 3 directories with 14 updates (#35441 )

2026-02-26 02:48:31 -08:00

langchain

chore: bump the langchain-deps group across 3 directories with 14 updates (#35441 )

2026-02-26 02:48:31 -08:00

langchain_v1

chore: bump langgraph-checkpoint from 3.0.1 to 4.0.0 in /libs/langchain_v1 (#35445 )

2026-02-26 13:47:28 -05:00

model-profiles

chore: bump langgraph-checkpoint from 3.0.0 to 4.0.0 in /libs/model-profiles (#35446 )

2026-02-26 13:45:49 -05:00

partners

fix(deepseek): use proper URL parsing for azure endpoint detection (#35455 )

2026-03-01 12:14:48 -05:00

standard-tests

chore: bump the other-deps group across 3 directories with 2 updates (#35407 )

2026-02-23 14:36:18 -08:00

text-splitters

chore: bump nltk from 3.9.2 to 3.9.3 in /libs/text-splitters (#35449 )

2026-02-26 02:46:32 -08:00

Makefile

feat(infra): add CI check for out of date lockfiles (#34397 )

2025-12-16 22:23:25 -05:00

README.md

chore: add more informative README for libs/ (#33339 )

2025-10-07 17:13:45 +00:00

README.md

Packages

Important

View all LangChain integrations packages

This repository is structured as a monorepo, with various packages located in this libs/ directory. Packages to note in this directory include:

core/             # Core primitives and abstractions for langchain
langchain/        # langchain-classic
langchain_v1/     # langchain
partners/         # Certain third-party providers integrations (see below)
standard-tests/   # Standardized tests for integrations
text-splitters/   # Text splitter utilities

(Each package contains its own README.md file with specific details about that package.)

Integrations (`partners/`)

The partners/ directory contains a small subset of third-party provider integrations that are maintained directly by the LangChain team. These include, but are not limited to:

Most integrations have been moved to their own repositories for improved versioning, dependency management, collaboration, and testing. This includes packages from popular providers such as Google and AWS. Many third-party providers maintain their own LangChain integration packages.

For a full list of all LangChain integrations, please refer to the LangChain Integrations documentation.

README.md

Packages

Integrations (partners/)

Integrations (`partners/`)