Skip to content

Commit 8fc8342

Browse files
Reject encoded port delimiters in base URL hosts
Co-authored-by: Shri Sukhani <shrisukhani@users.noreply.github.com>
1 parent 013933a commit 8fc8342

File tree

3 files changed

+15
-1
lines changed

3 files changed

+15
-1
lines changed

hyperbrowser/config.py

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -121,7 +121,9 @@ def normalize_base_url(base_url: str) -> str:
121121
for character in decoded_base_netloc
122122
):
123123
raise HyperbrowserError("base_url host must not contain control characters")
124-
if any(character in {"?", "#", "/", "@"} for character in decoded_base_netloc):
124+
if any(
125+
character in {"?", "#", "/", "@", ":"} for character in decoded_base_netloc
126+
):
125127
raise HyperbrowserError(
126128
"base_url host must not contain encoded delimiter characters"
127129
)

tests/test_config.py

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -436,6 +436,11 @@ def test_client_config_normalize_base_url_validates_and_normalizes():
436436
match="base_url host must not contain encoded delimiter characters",
437437
):
438438
ClientConfig.normalize_base_url("https://example.local%2540attacker.com")
439+
with pytest.raises(
440+
HyperbrowserError,
441+
match="base_url host must not contain encoded delimiter characters",
442+
):
443+
ClientConfig.normalize_base_url("https://example.local%253A443")
439444
with pytest.raises(
440445
HyperbrowserError,
441446
match="base_url path must not contain encoded query or fragment delimiters",

tests/test_url_building.py

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -167,6 +167,13 @@ def test_client_build_url_rejects_runtime_invalid_base_url_changes():
167167
):
168168
client._build_url("/session")
169169

170+
client.config.base_url = "https://example.local%3A443"
171+
with pytest.raises(
172+
HyperbrowserError,
173+
match="base_url host must not contain encoded delimiter characters",
174+
):
175+
client._build_url("/session")
176+
170177
client.config.base_url = "https://user:pass@example.local"
171178
with pytest.raises(
172179
HyperbrowserError, match="base_url must not include user credentials"

0 commit comments

Comments
 (0)