fix: tighten marketplace path validation

Co-authored-by: openhands <openhands@all-hands.dev>
2026-03-22 13:47:19 +08:00 · 2026-03-19 11:28:34 +00:00
parent d5e71ec79b
commit 41333a7c26
6 changed files with 55 additions and 9 deletions
--- a/openhands/app_server/app_conversation/app_conversation_service_base.py
+++ b/openhands/app_server/app_conversation/app_conversation_service_base.py
@@ -134,9 +134,10 @@ class AppConversationServiceBase(AppConversationService, ABC):
            try:
                user_info = await self.user_context.get_user_info()
                marketplace_path = user_info.marketplace_path
-            except Exception as e:
-                _logger.warning(
-                    f'Failed to load marketplace_path from user settings: {e}'
+            except NotImplementedError:
+                _logger.debug(
+                    'User context does not provide user settings; '
+                    'loading skills without marketplace_path override'
                )

            # Single API call to agent-server for ALL skills
--- a/openhands/storage/data_models/settings.py
+++ b/openhands/storage/data_models/settings.py
@@ -21,7 +21,7 @@ from openhands.core.config.mcp_config import MCPConfig
 from openhands.core.config.utils import load_openhands_config
 from openhands.storage.data_models.secrets import Secrets

-MARKETPLACE_PATH_PATTERN = re.compile(r'^[A-Za-z0-9_-]+(?:/[A-Za-z0-9_.-]+)*\.json$')
+MARKETPLACE_PATH_PATTERN = re.compile(r'^[A-Za-z0-9_-]+(?:/[A-Za-z0-9_.-]+)+\.json$')


 class SandboxGroupingStrategy(str, Enum):