Harden base URL validation for encoded host and credentials

Co-authored-by: Shri Sukhani <shrisukhani@users.noreply.github.com>

Author: cursoragent

hyperbrowser/config.py

@@ -58,6 +58,8 @@ def normalize_base_url(base_url: str) -> str:
             raise HyperbrowserError(
                 "base_url must not include query parameters or fragments"
             )
+        if parsed_base_url.username is not None or parsed_base_url.password is not None:
+            raise HyperbrowserError("base_url must not include user credentials")
 
         decoded_base_path = parsed_base_url.path
         for _ in range(10):
@@ -79,6 +81,24 @@ def normalize_base_url(base_url: str) -> str:
             raise HyperbrowserError(
                 "base_url path must not contain relative path segments"
             )
+
+        decoded_base_netloc = parsed_base_url.netloc
+        for _ in range(10):
+            next_decoded_base_netloc = unquote(decoded_base_netloc)
+            if next_decoded_base_netloc == decoded_base_netloc:
+                break
+            decoded_base_netloc = next_decoded_base_netloc
+        if "\\" in decoded_base_netloc:
+            raise HyperbrowserError("base_url host must not contain backslashes")
+        if any(character.isspace() for character in decoded_base_netloc):
+            raise HyperbrowserError(
+                "base_url host must not contain whitespace characters"
+            )
+        if any(
+            ord(character) < 32 or ord(character) == 127
+            for character in decoded_base_netloc
+        ):
+            raise HyperbrowserError("base_url host must not contain control characters")
         return normalized_base_url
 
     @classmethod

tests/test_config.py

@@ -208,6 +208,10 @@ def test_client_config_rejects_empty_or_invalid_base_url():
 
     with pytest.raises(HyperbrowserError, match="must not include query parameters"):
         ClientConfig(api_key="test-key", base_url="https://example.local#frag")
+    with pytest.raises(
+        HyperbrowserError, match="base_url must not include user credentials"
+    ):
+        ClientConfig(api_key="test-key", base_url="https://user:pass@example.local")
 
     with pytest.raises(
         HyperbrowserError, match="base_url must not contain newline characters"
@@ -360,6 +364,10 @@ def test_client_config_normalize_base_url_validates_and_normalizes():
         HyperbrowserError, match="base_url must not contain control characters"
     ):
         ClientConfig.normalize_base_url("https://example.local\x00api")
+    with pytest.raises(
+        HyperbrowserError, match="base_url must not include user credentials"
+    ):
+        ClientConfig.normalize_base_url("https://user:pass@example.local")
     with pytest.raises(
         HyperbrowserError, match="base_url path must not contain relative path segments"
     ):
@@ -372,3 +380,15 @@ def test_client_config_normalize_base_url_validates_and_normalizes():
         HyperbrowserError, match="base_url must not contain whitespace characters"
     ):
         ClientConfig.normalize_base_url("https://example.local/%2520api")
+    with pytest.raises(
+        HyperbrowserError, match="base_url host must not contain backslashes"
+    ):
+        ClientConfig.normalize_base_url("https://example.local%255C")
+    with pytest.raises(
+        HyperbrowserError, match="base_url host must not contain whitespace characters"
+    ):
+        ClientConfig.normalize_base_url("https://example.local%2520")
+    with pytest.raises(
+        HyperbrowserError, match="base_url host must not contain control characters"
+    ):
+        ClientConfig.normalize_base_url("https://example.local%2500")

tests/test_url_building.py

@@ -129,6 +129,12 @@ def test_client_build_url_rejects_runtime_invalid_base_url_changes():
         ):
             client._build_url("/session")
 
+        client.config.base_url = "https://user:pass@example.local"
+        with pytest.raises(
+            HyperbrowserError, match="base_url must not include user credentials"
+        ):
+            client._build_url("/session")
+
         client.config.base_url = "   "
         with pytest.raises(HyperbrowserError, match="base_url must not be empty"):
             client._build_url("/session")