[Security][Medium] Missing URL parameter encoding in Python verify.py functions

[numbers-official]

Summary

Two functions in python/numbersprotocol_capture/verify.py construct URLs using direct f-string interpolation without encoding user-supplied parameters, while the TypeScript equivalents correctly use encodeURIComponent() / URLSearchParams.

Affected Code

search_by_nid() — Line 27

def search_by_nid(nid: str) -> str:
    return f"{VERIFY_BASE_URL}/search?nid={nid}"

asset_profile() — Line 63

def asset_profile(nid: str) -> str:
    return f"{VERIFY_BASE_URL}/asset-profile?nid={nid}"

TypeScript (correct) — ts/src/verify.ts Lines 27, 64

searchByNid(nid: string): string {
    return `${VERIFY_BASE_URL}/search?nid=${encodeURIComponent(nid)}`
}
assetProfile(nid: string): string {
    return `${VERIFY_BASE_URL}/asset-profile?nid=${encodeURIComponent(nid)}`
}

Impact

• Severity: Medium. The NID values are typically CID hashes (safe characters), so exploitation risk is low in practice. However, if any user-controlled string is passed, special characters (&, =, #, spaces) could break URL parsing or enable open-redirect / parameter injection in a browser context.
• Inconsistency: The same file's search_by_nft() and asset_profile_by_nft() functions already correctly use urlencode(), making this an oversight rather than a design choice.

Suggested Fix

Use urllib.parse.quote or urlencode consistently:

from urllib.parse import quote

def search_by_nid(nid: str) -> str:
    return f"{VERIFY_BASE_URL}/search?nid={quote(nid, safe='')}"

def asset_profile(nid: str) -> str:
    return f"{VERIFY_BASE_URL}/asset-profile?nid={quote(nid, safe='')}"

This aligns the Python SDK with the TypeScript SDK's behavior and ensures parity.