fix(extension): reuse bounded URL archive download path

officialasishkumar · officialasishkumar · commit ab5e03398cfa · 2026-04-16T19:56:03.000+05:30
Signed-off-by: Asish Kumar &lt;officialasishkumar@gmail.com&gt;
diff --git a/src/specify_cli/__init__.py b/src/specify_cli/__init__.py
@@ -768,7 +768,7 @@ def _install_extension_archive(
         )
 
     if not tarfile.is_tarfile(archive_path):
-        raise ValidationError("Extension archive must be a ZIP, .tar.gz, or .tgz file")
+        raise ValidationError("Extension archive must be a ZIP, .tar, .tar.gz, or .tgz file")
 
     with tempfile.TemporaryDirectory() as tmpdir:
         temp_path = Path(tmpdir)
@@ -3695,45 +3695,14 @@ def extension_add(
                 manifest = manager.install_from_directory(source_path, speckit_version, priority=priority)
 
             elif from_url:
-                # Install from URL (ZIP file)
-                import urllib.request
-                import urllib.error
-                from urllib.parse import urlparse
-
-                # Validate URL
-                parsed = urlparse(from_url)
-                is_localhost = parsed.hostname in ("localhost", "127.0.0.1", "::1")
-
-                if parsed.scheme != "https" and not (parsed.scheme == "http" and is_localhost):
-                    console.print("[red]Error:[/red] URL must use HTTPS for security.")
-                    console.print("HTTP is only allowed for localhost URLs.")
-                    raise typer.Exit(1)
-
-                # Warn about untrusted sources
-                display_url = _redact_url_for_display(from_url)
-                console.print("[yellow]Warning:[/yellow] Installing from external URL.")
-                console.print("Only install extensions from sources you trust.\n")
-                console.print(f"Downloading from {display_url}...")
-
-                # Download ZIP to temp location
-                download_dir = project_root / ".specify" / "extensions" / ".cache" / "downloads"
-                download_dir.mkdir(parents=True, exist_ok=True)
-                zip_path = download_dir / f"{extension}-url-download.zip"
-
-                try:
-                    with urllib.request.urlopen(from_url, timeout=60) as response:
-                        zip_data = response.read()
-                    zip_path.write_bytes(zip_data)
-
-                    # Install from downloaded ZIP
-                    manifest = manager.install_from_zip(zip_path, speckit_version, priority=priority)
-                except urllib.error.URLError as e:
-                    console.print(f"[red]Error:[/red] Failed to download from {display_url}: {e}")
-                    raise typer.Exit(1)
-                finally:
-                    # Clean up downloaded ZIP
-                    if zip_path.exists():
-                        zip_path.unlink()
+                # Install from URL using bounded chunked download + archive validation.
+                manifest = _download_and_install_extension_url(
+                    manager,
+                    project_root,
+                    from_url,
+                    speckit_version,
+                    priority=priority,
+                )
 
             else:
                 # Try bundled extensions first (shipped with spec-kit)
diff --git a/tests/integrations/test_cli.py b/tests/integrations/test_cli.py
@@ -408,6 +408,20 @@ def test_tar_extension_archive_rejects_special_members(self, tmp_path):
         with pytest.raises(ValidationError, match="Unsupported TAR member type"):
             _install_extension_archive(object(), archive_path, "0.0.0")
 
+    def test_extension_archive_error_message_lists_plain_tar(self, tmp_path):
+        """Unsupported extension archive message should include plain .tar."""
+        from specify_cli import _install_extension_archive
+        from specify_cli.extensions import ValidationError
+
+        archive_path = tmp_path / "not-an-archive.txt"
+        archive_path.write_text("not an archive", encoding="utf-8")
+
+        with pytest.raises(
+            ValidationError,
+            match=r"ZIP, \.tar, \.tar\.gz, or \.tgz",
+        ):
+            _install_extension_archive(object(), archive_path, "0.0.0")
+
     def test_extension_url_downloads_in_bounded_chunks(self, tmp_path, monkeypatch):
         """URL extension downloads stream to disk instead of reading all bytes."""
         import urllib.request
@@ -464,6 +478,60 @@ def fake_install(manager, archive_path, speckit_version, priority=10):
             specify_cli.DOWNLOAD_CHUNK_BYTES,
         ]
 
+    def test_extension_add_from_url_uses_shared_bounded_download_helper(self, tmp_path, monkeypatch):
+        """extension add --from should reuse the bounded URL download helper."""
+        from types import SimpleNamespace
+        from typer.testing import CliRunner
+        import specify_cli
+        from specify_cli import app
+        from specify_cli.extensions import ExtensionManager
+
+        project = tmp_path / "url-extension-add"
+        project.mkdir()
+        (project / ".specify").mkdir()
+
+        captured = {}
+
+        def fake_download_and_install(manager, project_path, source_url, speckit_version, priority=10):
+            captured["manager"] = manager
+            captured["project_path"] = project_path
+            captured["source_url"] = source_url
+            captured["speckit_version"] = speckit_version
+            captured["priority"] = priority
+            return SimpleNamespace(
+                id="url-ext",
+                name="URL Extension",
+                version="1.0.0",
+                description="Downloaded from URL",
+                warnings=[],
+                commands=[],
+            )
+
+        monkeypatch.setattr(
+            specify_cli,
+            "_download_and_install_extension_url",
+            fake_download_and_install,
+        )
+
+        runner = CliRunner()
+        old_cwd = os.getcwd()
+        try:
+            os.chdir(project)
+            result = runner.invoke(
+                app,
+                ["extension", "add", "url-ext", "--from", "https://example.com/url-ext.zip"],
+                catch_exceptions=False,
+            )
+        finally:
+            os.chdir(old_cwd)
+
+        assert result.exit_code == 0, result.output
+        assert isinstance(captured["manager"], ExtensionManager)
+        assert captured["project_path"] == project
+        assert captured["source_url"] == "https://example.com/url-ext.zip"
+        assert captured["speckit_version"] == specify_cli.get_speckit_version()
+        assert captured["priority"] == 10
+
 
 class TestForceExistingDirectory:
     """Tests for --force merging into an existing named directory."""
