Reject encoded query delimiters in base URL paths

cursoragent · shrisukhani · cursoragent · commit ba99b76d4552 · 2026-02-13T10:05:59.000Z
Co-authored-by: Shri Sukhani &lt;shrisukhani@users.noreply.github.com&gt;
diff --git a/hyperbrowser/config.py b/hyperbrowser/config.py
@@ -81,6 +81,10 @@ def normalize_base_url(base_url: str) -> str:
             raise HyperbrowserError(
                 "base_url path must not contain relative path segments"
             )
+        if "?" in decoded_base_path or "#" in decoded_base_path:
+            raise HyperbrowserError(
+                "base_url path must not contain encoded query or fragment delimiters"
+            )
 
         decoded_base_netloc = parsed_base_url.netloc
         for _ in range(10):
diff --git a/tests/test_config.py b/tests/test_config.py
@@ -234,6 +234,11 @@ def test_client_config_rejects_empty_or_invalid_base_url():
         HyperbrowserError, match="base_url path must not contain relative path segments"
     ):
         ClientConfig(api_key="test-key", base_url="https://example.local/%2e%2e/api")
+    with pytest.raises(
+        HyperbrowserError,
+        match="base_url path must not contain encoded query or fragment delimiters",
+    ):
+        ClientConfig(api_key="test-key", base_url="https://example.local/%3Fapi")
 
 
 def test_client_config_normalizes_headers_to_internal_copy():
@@ -400,3 +405,8 @@ def test_client_config_normalize_base_url_validates_and_normalizes():
         HyperbrowserError, match="base_url host must not contain control characters"
     ):
         ClientConfig.normalize_base_url("https://example.local%2500")
+    with pytest.raises(
+        HyperbrowserError,
+        match="base_url path must not contain encoded query or fragment delimiters",
+    ):
+        ClientConfig.normalize_base_url("https://example.local/%253Fapi")
diff --git a/tests/test_url_building.py b/tests/test_url_building.py
@@ -129,6 +129,13 @@ def test_client_build_url_rejects_runtime_invalid_base_url_changes():
         ):
             client._build_url("/session")
 
+        client.config.base_url = "https://example.local/%3Fapi"
+        with pytest.raises(
+            HyperbrowserError,
+            match="base_url path must not contain encoded query or fragment delimiters",
+        ):
+            client._build_url("/session")
+
         client.config.base_url = "https://user:pass@example.local"
         with pytest.raises(
             HyperbrowserError, match="base_url must not include user credentials"
