Skip to content

Commit ba99b76

Browse files
Reject encoded query delimiters in base URL paths
Co-authored-by: Shri Sukhani <shrisukhani@users.noreply.github.com>
1 parent 856929f commit ba99b76

3 files changed

Lines changed: 21 additions & 0 deletions

File tree

hyperbrowser/config.py

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -81,6 +81,10 @@ def normalize_base_url(base_url: str) -> str:
8181
raise HyperbrowserError(
8282
"base_url path must not contain relative path segments"
8383
)
84+
if "?" in decoded_base_path or "#" in decoded_base_path:
85+
raise HyperbrowserError(
86+
"base_url path must not contain encoded query or fragment delimiters"
87+
)
8488

8589
decoded_base_netloc = parsed_base_url.netloc
8690
for _ in range(10):

tests/test_config.py

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -234,6 +234,11 @@ def test_client_config_rejects_empty_or_invalid_base_url():
234234
HyperbrowserError, match="base_url path must not contain relative path segments"
235235
):
236236
ClientConfig(api_key="test-key", base_url="https://example.local/%2e%2e/api")
237+
with pytest.raises(
238+
HyperbrowserError,
239+
match="base_url path must not contain encoded query or fragment delimiters",
240+
):
241+
ClientConfig(api_key="test-key", base_url="https://example.local/%3Fapi")
237242

238243

239244
def test_client_config_normalizes_headers_to_internal_copy():
@@ -400,3 +405,8 @@ def test_client_config_normalize_base_url_validates_and_normalizes():
400405
HyperbrowserError, match="base_url host must not contain control characters"
401406
):
402407
ClientConfig.normalize_base_url("https://example.local%2500")
408+
with pytest.raises(
409+
HyperbrowserError,
410+
match="base_url path must not contain encoded query or fragment delimiters",
411+
):
412+
ClientConfig.normalize_base_url("https://example.local/%253Fapi")

tests/test_url_building.py

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -129,6 +129,13 @@ def test_client_build_url_rejects_runtime_invalid_base_url_changes():
129129
):
130130
client._build_url("/session")
131131

132+
client.config.base_url = "https://example.local/%3Fapi"
133+
with pytest.raises(
134+
HyperbrowserError,
135+
match="base_url path must not contain encoded query or fragment delimiters",
136+
):
137+
client._build_url("/session")
138+
132139
client.config.base_url = "https://user:pass@example.local"
133140
with pytest.raises(
134141
HyperbrowserError, match="base_url must not include user credentials"

0 commit comments

Comments
 (0)