Harden preset URL installs against unsafe redirects

Preset URL installs already rejected non-HTTPS source URLs, but the authenticated opener follows redirects. Validate the final response URL before writing the ZIP, stream the response to disk, and keep catalog config serialization on safe YAML output.

Constraint: open_url follows redirects, so source URL validation alone does not constrain the downloaded target

Rejected: Keep response.read() for simplicity | large preset downloads should not be buffered entirely in memory

Confidence: high

Scope-risk: narrow

Directive: Keep preset URL policy aligned with workflow installer redirect validation

Tested: uvx ruff check src/specify_cli/presets/_commands.py tests/test_presets.py

Tested: uv run pytest tests/test_presets.py -q

Not-tested: Real network redirect integration against a live HTTP server

Author: darion-yaphet

src/specify_cli/presets/_commands.py

@@ -101,25 +101,43 @@ def preset_add(
 
         elif from_url:
             # Validate URL scheme before downloading
+            from ipaddress import ip_address
             from urllib.parse import urlparse as _urlparse
+
             _parsed = _urlparse(from_url)
-            _is_localhost = _parsed.hostname in ("localhost", "127.0.0.1", "::1")
-            if _parsed.scheme != "https" and not (_parsed.scheme == "http" and _is_localhost):
-                console.print(f"[red]Error:[/red] URL must use HTTPS (got {_parsed.scheme}://). HTTP is only allowed for localhost.")
+
+            def _is_allowed_download_url(parsed_url):
+                host = parsed_url.hostname or ""
+                is_loopback = host == "localhost"
+                if not is_loopback:
+                    try:
+                        is_loopback = ip_address(host).is_loopback
+                    except ValueError:
+                        # Host is not an IP literal (e.g., a regular hostname); treat as non-loopback.
+                        pass
+                return parsed_url.scheme == "https" or (parsed_url.scheme == "http" and is_loopback)
+
+            if not _is_allowed_download_url(_parsed):
+                console.print(f"[red]Error:[/red] URL must use HTTPS (got {_parsed.scheme}://). HTTP is only allowed for localhost/loopback.")
                 raise typer.Exit(1)
 
             console.print(f"Installing preset from [cyan]{from_url}[/cyan]...")
-            import urllib.request
             import urllib.error
             import tempfile
+            import shutil
 
             with tempfile.TemporaryDirectory() as tmpdir:
                 zip_path = Path(tmpdir) / "preset.zip"
                 try:
                     from specify_cli.authentication.http import open_url as _open_url
 
                     with _open_url(from_url, timeout=60) as response:
-                        zip_path.write_bytes(response.read())
+                        final_url = response.geturl()
+                        if not _is_allowed_download_url(_urlparse(final_url)):
+                            console.print(f"[red]Error:[/red] Preset URL redirected to non-HTTPS URL: {final_url}")
+                            raise typer.Exit(1)
+                        with zip_path.open("wb") as output:
+                            shutil.copyfileobj(response, output)
                 except urllib.error.URLError as e:
                     console.print(f"[red]Error:[/red] Failed to download: {e}")
                     raise typer.Exit(1)
@@ -606,7 +624,7 @@ def preset_catalog_add(
     })
 
     config["catalogs"] = catalogs
-    config_path.write_text(yaml.dump(config, default_flow_style=False, sort_keys=False, allow_unicode=True), encoding="utf-8")
+    config_path.write_text(yaml.safe_dump(config, default_flow_style=False, sort_keys=False, allow_unicode=True), encoding="utf-8")
 
     install_label = "install allowed" if install_allowed else "discovery only"
     console.print(f"\n[green]✓[/green] Added catalog '[bold]{name}[/bold]' ({install_label})")
@@ -648,7 +666,7 @@ def preset_catalog_remove(
         raise typer.Exit(1)
 
     config["catalogs"] = catalogs
-    config_path.write_text(yaml.dump(config, default_flow_style=False, sort_keys=False, allow_unicode=True), encoding="utf-8")
+    config_path.write_text(yaml.safe_dump(config, default_flow_style=False, sort_keys=False, allow_unicode=True), encoding="utf-8")
 
     console.print(f"[green]✓[/green] Removed catalog '{name}'")
     if not catalogs:

tests/test_presets.py

@@ -11,13 +11,15 @@
 """
 
 import pytest
+import io
 import json
 import tempfile
 import shutil
 import warnings
 import zipfile
 from pathlib import Path
 from datetime import datetime, timezone
+from types import SimpleNamespace
 
 import yaml
 
@@ -3687,6 +3689,85 @@ def test_bundled_preset_add_via_cli(self, project_dir):
         assert "Lean Workflow" in result.output
         assert "installed" in result.output.lower()
 
+    def test_preset_add_from_url_rejects_insecure_redirect(self, project_dir, monkeypatch):
+        """URL installs reject redirects from HTTPS to non-loopback HTTP."""
+        import typer
+        from specify_cli.presets._commands import preset_add
+
+        class FakeResponse(io.BytesIO):
+            def __enter__(self):
+                return self
+
+            def __exit__(self, exc_type, exc, tb):
+                return False
+
+            def geturl(self):
+                return "http://example.com/preset.zip"
+
+        monkeypatch.setattr("specify_cli._require_specify_project", lambda: project_dir)
+        monkeypatch.setattr("specify_cli.get_speckit_version", lambda: "0.6.0")
+        monkeypatch.setattr("specify_cli.authentication.http.open_url", lambda url, timeout: FakeResponse(b"zip"))
+
+        installed = False
+
+        def fake_install_from_zip(self, zip_path, speckit_version, priority=10):
+            nonlocal installed
+            installed = True
+
+        monkeypatch.setattr(PresetManager, "install_from_zip", fake_install_from_zip)
+
+        with pytest.raises(typer.Exit) as exc_info:
+            preset_add(preset_id=None, from_url="https://example.com/preset.zip", dev=None, priority=10)
+
+        assert exc_info.value.exit_code == 1
+        assert installed is False
+
+    def test_preset_add_from_url_streams_download_to_zip(self, project_dir, monkeypatch):
+        """URL installs stream response bytes to disk before installing the ZIP."""
+        from specify_cli.presets._commands import preset_add
+
+        class FakeResponse(io.BytesIO):
+            def __init__(self, data):
+                super().__init__(data)
+                self.read_sizes = []
+
+            def __enter__(self):
+                return self
+
+            def __exit__(self, exc_type, exc, tb):
+                return False
+
+            def geturl(self):
+                return "https://example.com/preset.zip"
+
+            def read(self, size=-1):
+                assert size not in (-1, None)
+                self.read_sizes.append(size)
+                return super().read(size)
+
+        response = FakeResponse(b"zip-bytes")
+        installed = {}
+
+        def fake_install_from_zip(self, zip_path, speckit_version, priority=10):
+            installed["zip_bytes"] = Path(zip_path).read_bytes()
+            installed["speckit_version"] = speckit_version
+            installed["priority"] = priority
+            return SimpleNamespace(name="Test Preset", version="1.0.0")
+
+        monkeypatch.setattr("specify_cli._require_specify_project", lambda: project_dir)
+        monkeypatch.setattr("specify_cli.get_speckit_version", lambda: "0.6.0")
+        monkeypatch.setattr("specify_cli.authentication.http.open_url", lambda url, timeout: response)
+        monkeypatch.setattr(PresetManager, "install_from_zip", fake_install_from_zip)
+
+        preset_add(preset_id=None, from_url="https://example.com/preset.zip", dev=None, priority=7)
+
+        assert response.read_sizes
+        assert installed == {
+            "zip_bytes": b"zip-bytes",
+            "speckit_version": "0.6.0",
+            "priority": 7,
+        }
+
     def test_bundled_preset_in_catalog(self):
         """Verify the lean preset is listed in catalog.json with bundled marker."""
         catalog_path = Path(__file__).parent.parent / "presets" / "catalog.json"