Harden URL builder against runtime base_url misconfiguration

cursoragent · shrisukhani · cursoragent · commit ad3e469f8bf5 · 2026-02-13T08:42:24.000Z
Co-authored-by: Shri Sukhani &lt;shrisukhani@users.noreply.github.com&gt;
diff --git a/hyperbrowser/client/base.py b/hyperbrowser/client/base.py
@@ -87,9 +87,19 @@ def _build_url(self, path: str) -> str:
         normalized_query_suffix = (
             f"?{normalized_parts.query}" if normalized_parts.query else ""
         )
-        base_has_api_suffix = (
-            urlparse(self.config.base_url).path.rstrip("/").endswith("/api")
-        )
+        parsed_base_url = urlparse(self.config.base_url)
+        if (
+            parsed_base_url.scheme not in {"https", "http"}
+            or not parsed_base_url.netloc
+        ):
+            raise HyperbrowserError(
+                "base_url must start with 'https://' or 'http://' and include a host"
+            )
+        if parsed_base_url.query or parsed_base_url.fragment:
+            raise HyperbrowserError(
+                "base_url must not include query parameters or fragments"
+            )
+        base_has_api_suffix = parsed_base_url.path.rstrip("/").endswith("/api")
 
         if normalized_path_only == "/api" or normalized_path_only.startswith("/api/"):
             if base_has_api_suffix:
diff --git a/tests/test_url_building.py b/tests/test_url_building.py
@@ -85,6 +85,22 @@ def test_client_build_url_reflects_runtime_base_url_changes():
         client.close()
 
 
+def test_client_build_url_rejects_runtime_invalid_base_url_changes():
+    client = Hyperbrowser(config=ClientConfig(api_key="test-key"))
+    try:
+        client.config.base_url = "invalid-base-url"
+        with pytest.raises(HyperbrowserError, match="include a host"):
+            client._build_url("/session")
+
+        client.config.base_url = "https://example.local?foo=bar"
+        with pytest.raises(
+            HyperbrowserError, match="must not include query parameters"
+        ):
+            client._build_url("/session")
+    finally:
+        client.close()
+
+
 def test_client_build_url_rejects_empty_or_non_string_paths():
     client = Hyperbrowser(config=ClientConfig(api_key="test-key"))
     try:
