fix: URL-encode nid parameter in Python verify.py search_by_nid and asset_profile

[Copilot]

search_by_nid() and asset_profile() in verify.py interpolated the nid parameter directly into URLs, allowing special characters (&, =, #, spaces) to break URL parsing or inject extra query parameters. The TypeScript SDK already uses encodeURIComponent(), and the same file's NFT variants already use urlencode() — this was an oversight.

Changes

• verify.py: Apply urllib.parse.quote(nid, safe='') in search_by_nid() and asset_profile(), matching TypeScript's encodeURIComponent() behavior.
• tests/test_verify.py: New test file covering normal NID pass-through and special character encoding for all four verify.py URL helpers.

# Before
def search_by_nid(nid: str) -> str:
    return f"{VERIFY_BASE_URL}/search?nid={nid}"

# After
def search_by_nid(nid: str) -> str:
    return f"{VERIFY_BASE_URL}/search?nid={quote(nid, safe='')}"

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Security][Medium] Missing URL parameter encoding in Python verify.py functions</issue_title>
<issue_description>## Summary

Two functions in python/numbersprotocol_capture/verify.py construct URLs using direct f-string interpolation without encoding user-supplied parameters, while the TypeScript equivalents correctly use encodeURIComponent() / URLSearchParams.

Affected Code

search_by_nid() — Line 27

def search_by_nid(nid: str) -> str:
    return f"{VERIFY_BASE_URL}/search?nid={nid}"

asset_profile() — Line 63

def asset_profile(nid: str) -> str:
    return f"{VERIFY_BASE_URL}/asset-profile?nid={nid}"

TypeScript (correct) — ts/src/verify.ts Lines 27, 64

searchByNid(nid: string): string {
    return `${VERIFY_BASE_URL}/search?nid=${encodeURIComponent(nid)}`
}
assetProfile(nid: string): string {
    return `${VERIFY_BASE_URL}/asset-profile?nid=${encodeURIComponent(nid)}`
}

Impact

• Severity: Medium. The NID values are typically CID hashes (safe characters), so exploitation risk is low in practice. However, if any user-controlled string is passed, special characters (&, =, #, spaces) could break URL parsing or enable open-redirect / parameter injection in a browser context.
• Inconsistency: The same file's search_by_nft() and asset_profile_by_nft() functions already correctly use urlencode(), making this an oversight rather than a design choice.

Suggested Fix

Use urllib.parse.quote or urlencode consistently:

from urllib.parse import quote

def search_by_nid(nid: str) -> str:
    return f"{VERIFY_BASE_URL}/search?nid={quote(nid, safe='')}"

def asset_profile(nid: str) -> str:
    return f"{VERIFY_BASE_URL}/asset-profile?nid={quote(nid, safe='')}"

This aligns the Python SDK with the TypeScript SDK's behavior and ensures parity.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Security][Medium] Missing URL parameter encoding in Python verify.py functions #6

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.