fix: Correct default email format and improve User-Agent validation (#182) (#187)

coding-ai-assistant[bot] · florath · web-flow · commit 54fc2dd6fdf8 · 2025-12-01T07:40:08.000+01:00
This commit addresses two issues identified in CodeQL security scanning:

1. Fixed invalid default email address format: Changed from
   'noreply.aletheia-probe.org' to 'noreply@aletheia-probe.org'
   (missing '@' symbol)

2. Replaced substring matching with exact User-Agent format validation
   in tests to avoid triggering incomplete URL sanitization warnings

The original CodeQL alert was a false positive (the code wasn't validating
URLs for security purposes), but the investigation revealed a real bug in
the default email format. The improved test assertions now verify the exact
expected User-Agent format, which is more robust and avoids security scanner
warnings.

Co-authored-by: florath-ai-assistant[bot] &lt;Andreas.Florath@telekom.de&gt;
diff --git a/src/aletheia_probe/article_retraction_checker.py b/src/aletheia_probe/article_retraction_checker.py
@@ -57,7 +57,7 @@ def to_dict(self) -> dict[str, Any]:
 class ArticleRetractionChecker:
     """Checks individual articles (by DOI) for retraction status using multiple sources."""
 
-    def __init__(self, email: str = "noreply.aletheia-probe.org"):
+    def __init__(self, email: str = "noreply@aletheia-probe.org"):
         """
         Initialize the article retraction checker.
 
diff --git a/tests/unit/test_article_retraction_checker.py b/tests/unit/test_article_retraction_checker.py
@@ -94,19 +94,22 @@ def test_init_default_email(self):
         """Test ArticleRetractionChecker initialization with default email."""
         checker = ArticleRetractionChecker()
 
-        assert checker.email == "noreply.aletheia-probe.org"
+        assert checker.email == "noreply@aletheia-probe.org"
         assert checker.crossref_base_url == "https://api.crossref.org"
         assert "User-Agent" in checker.headers
-        assert "AletheiaProbe" in checker.headers["User-Agent"]
-        assert "noreply.aletheia-probe.org" in checker.headers["User-Agent"]
+        # Verify exact User-Agent format instead of substring matching
+        expected_user_agent = "AletheiaProbe/1.0 (mailto:noreply@aletheia-probe.org)"
+        assert checker.headers["User-Agent"] == expected_user_agent
 
     def test_init_custom_email(self):
         """Test ArticleRetractionChecker initialization with custom email."""
         custom_email = "test@example.com"
         checker = ArticleRetractionChecker(email=custom_email)
 
         assert checker.email == custom_email
-        assert custom_email in checker.headers["User-Agent"]
+        # Verify exact User-Agent format instead of substring matching
+        expected_user_agent = f"AletheiaProbe/1.0 (mailto:{custom_email})"
+        assert checker.headers["User-Agent"] == expected_user_agent
 
 
 class TestArticleRetractionCheckerDOIValidation:
