Reject absolute URLs in internal path builder

cursoragent · shrisukhani · cursoragent · commit 2b0dd426968e · 2026-02-13T07:06:45.000Z
Co-authored-by: Shri Sukhani &lt;shrisukhani@users.noreply.github.com&gt;
diff --git a/hyperbrowser/client/base.py b/hyperbrowser/client/base.py
@@ -71,6 +71,8 @@ def _build_url(self, path: str) -> str:
         stripped_path = path.strip()
         if not stripped_path:
             raise HyperbrowserError("path must not be empty")
+        if "://" in stripped_path:
+            raise HyperbrowserError("path must be a relative API path")
         normalized_path = f"/{stripped_path.lstrip('/')}"
         if normalized_path == "/api" or normalized_path.startswith("/api/"):
             return f"{self.config.base_url}{normalized_path}"
diff --git a/tests/test_url_building.py b/tests/test_url_building.py
@@ -49,5 +49,7 @@ def test_client_build_url_rejects_empty_or_non_string_paths():
             client._build_url("   ")
         with pytest.raises(HyperbrowserError, match="path must be a string"):
             client._build_url(123)  # type: ignore[arg-type]
+        with pytest.raises(HyperbrowserError, match="path must be a relative API path"):
+            client._build_url("https://api.hyperbrowser.ai/session")
     finally:
         client.close()
