Potential fix for code scanning alert no. 12: Incomplete URL substring sanitization

[arjunsuresh]

Potential fix for https://github.com/mlcommons/mlcflow/security/code-scanning/12

The right way to fix this is to properly parse the repo variable as a URL, then check whether the hostname is exactly "github.com" or possibly in an allowlist of trusted hostnames (such as "github.com", optionally supporting subdomains if that is a use case).

• Use Python's built-in urllib.parse.urlparse to parse repo if it's a URL.
• Check the .hostname property for equality with "github.com". (Not a substring or endswith check.)
• If the scheme or hostname is not present, reject, or fall back to previous logic.
• Only proceed to self.github_url_to_user_repo_format if the parsed hostname is trusted.
• Replace the line elif "github.com" in repo: with a proper parse and check.
• Ensure that URLs like https://evil.com/github.com/foo do not pass.

The code to import is from urllib.parse import urlparse. Insert this import if not present.

All changes are confined to function(s) within mlc/repo_action.py as shown.

---

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[github-actions]

MLCommons CLA bot All contributors have signed the MLCommons CLA ✍️ ✅