Skip to content

Commit 08fb991

Browse files
Reject encoded credential delimiters in base URL hosts
Co-authored-by: Shri Sukhani <shrisukhani@users.noreply.github.com>
1 parent f8f6d40 commit 08fb991

File tree

3 files changed

+13
-1
lines changed

3 files changed

+13
-1
lines changed

hyperbrowser/config.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -103,7 +103,7 @@ def normalize_base_url(base_url: str) -> str:
103103
for character in decoded_base_netloc
104104
):
105105
raise HyperbrowserError("base_url host must not contain control characters")
106-
if any(character in {"?", "#", "/"} for character in decoded_base_netloc):
106+
if any(character in {"?", "#", "/", "@"} for character in decoded_base_netloc):
107107
raise HyperbrowserError(
108108
"base_url host must not contain encoded delimiter characters"
109109
)

tests/test_config.py

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -410,6 +410,11 @@ def test_client_config_normalize_base_url_validates_and_normalizes():
410410
match="base_url host must not contain encoded delimiter characters",
411411
):
412412
ClientConfig.normalize_base_url("https://example.local%252Fapi")
413+
with pytest.raises(
414+
HyperbrowserError,
415+
match="base_url host must not contain encoded delimiter characters",
416+
):
417+
ClientConfig.normalize_base_url("https://example.local%2540attacker.com")
413418
with pytest.raises(
414419
HyperbrowserError,
415420
match="base_url path must not contain encoded query or fragment delimiters",

tests/test_url_building.py

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -143,6 +143,13 @@ def test_client_build_url_rejects_runtime_invalid_base_url_changes():
143143
):
144144
client._build_url("/session")
145145

146+
client.config.base_url = "https://example.local%40attacker.com"
147+
with pytest.raises(
148+
HyperbrowserError,
149+
match="base_url host must not contain encoded delimiter characters",
150+
):
151+
client._build_url("/session")
152+
146153
client.config.base_url = "https://user:pass@example.local"
147154
with pytest.raises(
148155
HyperbrowserError, match="base_url must not include user credentials"

0 commit comments

Comments
 (0)