Skip to content

Commit 2b0dd42

Browse files
Reject absolute URLs in internal path builder
Co-authored-by: Shri Sukhani <shrisukhani@users.noreply.github.com>
1 parent 6f0f4ae commit 2b0dd42

File tree

2 files changed

+4
-0
lines changed

2 files changed

+4
-0
lines changed

hyperbrowser/client/base.py

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -71,6 +71,8 @@ def _build_url(self, path: str) -> str:
7171
stripped_path = path.strip()
7272
if not stripped_path:
7373
raise HyperbrowserError("path must not be empty")
74+
if "://" in stripped_path:
75+
raise HyperbrowserError("path must be a relative API path")
7476
normalized_path = f"/{stripped_path.lstrip('/')}"
7577
if normalized_path == "/api" or normalized_path.startswith("/api/"):
7678
return f"{self.config.base_url}{normalized_path}"

tests/test_url_building.py

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,5 +49,7 @@ def test_client_build_url_rejects_empty_or_non_string_paths():
4949
client._build_url(" ")
5050
with pytest.raises(HyperbrowserError, match="path must be a string"):
5151
client._build_url(123) # type: ignore[arg-type]
52+
with pytest.raises(HyperbrowserError, match="path must be a relative API path"):
53+
client._build_url("https://api.hyperbrowser.ai/session")
5254
finally:
5355
client.close()

0 commit comments

Comments
 (0)