Allow explicit base URL ports while blocking encoded host delimiters

cursoragent · shrisukhani · cursoragent · commit 9047a08d702e · 2026-02-13T10:52:08.000Z
Co-authored-by: Shri Sukhani &lt;shrisukhani@users.noreply.github.com&gt;
diff --git a/hyperbrowser/config.py b/hyperbrowser/config.py
@@ -1,11 +1,14 @@
 from dataclasses import dataclass
+import re
 from urllib.parse import unquote, urlparse
 from typing import Dict, Mapping, Optional
 import os
 
 from .exceptions import HyperbrowserError
 from .header_utils import normalize_headers, parse_headers_env_json
 
+_ENCODED_HOST_DELIMITER_PATTERN = re.compile(r"%(?:2f|3f|23|40|3a)", re.IGNORECASE)
+
 
 @dataclass
 class ClientConfig:
@@ -102,6 +105,10 @@ def normalize_base_url(base_url: str) -> str:
 
         decoded_base_netloc = parsed_base_url.netloc
         for _ in range(10):
+            if _ENCODED_HOST_DELIMITER_PATTERN.search(decoded_base_netloc):
+                raise HyperbrowserError(
+                    "base_url host must not contain encoded delimiter characters"
+                )
             next_decoded_base_netloc = unquote(decoded_base_netloc)
             if next_decoded_base_netloc == decoded_base_netloc:
                 break
@@ -121,9 +128,7 @@ def normalize_base_url(base_url: str) -> str:
             for character in decoded_base_netloc
         ):
             raise HyperbrowserError("base_url host must not contain control characters")
-        if any(
-            character in {"?", "#", "/", "@", ":"} for character in decoded_base_netloc
-        ):
+        if any(character in {"?", "#", "/", "@"} for character in decoded_base_netloc):
             raise HyperbrowserError(
                 "base_url host must not contain encoded delimiter characters"
             )
diff --git a/tests/test_config.py b/tests/test_config.py
@@ -360,6 +360,10 @@ def test_client_config_normalize_base_url_validates_and_normalizes():
         ClientConfig.normalize_base_url(" https://example.local/custom/api/ ")
         == "https://example.local/custom/api"
     )
+    assert (
+        ClientConfig.normalize_base_url("https://example.local:443/custom/api")
+        == "https://example.local:443/custom/api"
+    )
 
     with pytest.raises(HyperbrowserError, match="base_url must be a string"):
         ClientConfig.normalize_base_url(None)  # type: ignore[arg-type]
diff --git a/tests/test_url_building.py b/tests/test_url_building.py
@@ -47,6 +47,16 @@ def test_client_build_url_uses_normalized_base_url():
         client.close()
 
 
+def test_client_build_url_supports_base_url_with_port():
+    client = Hyperbrowser(
+        config=ClientConfig(api_key="test-key", base_url="https://example.local:8443")
+    )
+    try:
+        assert client._build_url("/session") == "https://example.local:8443/api/session"
+    finally:
+        client.close()
+
+
 def test_client_build_url_avoids_duplicate_api_when_base_url_already_has_api():
     client = Hyperbrowser(
         config=ClientConfig(api_key="test-key", base_url="https://example.local/api")
