Reject all scheme-qualified path inputs in URL builder

cursoragent · shrisukhani · cursoragent · commit 075b6f112b8d · 2026-02-13T07:29:44.000Z
Co-authored-by: Shri Sukhani &lt;shrisukhani@users.noreply.github.com&gt;
diff --git a/hyperbrowser/client/base.py b/hyperbrowser/client/base.py
@@ -75,7 +75,7 @@ def _build_url(self, path: str) -> str:
         if "\\" in stripped_path:
             raise HyperbrowserError("path must not contain backslashes")
         parsed_path = urlparse(stripped_path)
-        if parsed_path.scheme and parsed_path.netloc:
+        if parsed_path.scheme:
             raise HyperbrowserError("path must be a relative API path")
         normalized_path = f"/{stripped_path.lstrip('/')}"
         if normalized_path == "/api" or normalized_path.startswith("/api/"):
diff --git a/tests/test_url_building.py b/tests/test_url_building.py
@@ -55,6 +55,10 @@ def test_client_build_url_rejects_empty_or_non_string_paths():
             client._build_url(r"\\session")
         with pytest.raises(HyperbrowserError, match="path must be a relative API path"):
             client._build_url("https://api.hyperbrowser.ai/session")
+        with pytest.raises(HyperbrowserError, match="path must be a relative API path"):
+            client._build_url("mailto:ops@hyperbrowser.ai")
+        with pytest.raises(HyperbrowserError, match="path must be a relative API path"):
+            client._build_url("http:example.com")
     finally:
         client.close()
 
