Potential fix for code scanning alert no. 22: Incomplete URL substring sanitization

[Tanker187]

Potential fix for https://github.com/Tanker187/stagehand/security/code-scanning/22

In general, to fix incomplete URL substring sanitization, you should parse the URL and compare its structured components (protocol, host, pathname) instead of using String.includes on the whole URL. This avoids matches where the expected domain appears in query parameters, path segments, or as part of another domain.

For this specific case, the intent is to confirm that the page is actually on Uber’s authentication domain when the evaluator says “YES”. The best fix is to replace page.url().includes("https://auth.uber.com/") with a comparison based on the parsed URL’s origin or hostname. In Node/TypeScript we can safely use the built‑in URL class (no new imports needed). We should also avoid changing other behavior, so we’ll keep the evaluation === "YES" logic and just tighten the URL check.

Concretely, in packages/evals/tasks/agent/ubereats.ts, around line 26–27, we will:

• Introduce a local variable currentUrl = page.url();.
• Parse it: const parsedUrl = new URL(currentUrl);.
• Define const isAuthDomain = parsedUrl.origin === "https://auth.uber.com"; (or equivalently, check hostname === "auth.uber.com" and protocol === "https:").
• Replace the page.url().includes("https://auth.uber.com/") condition with isAuthDomain.

No new imports are needed, because URL is globally available in recent Node.js and TypeScript targets.

---

Suggested fixes powered by Copilot Autofix. Review carefully before merging.