Validate parsed base URL port ranges

cursoragent · shrisukhani · cursoragent · commit bd0e4453ec2f · 2026-02-13T23:41:37.000Z
Co-authored-by: Shri Sukhani &lt;shrisukhani@users.noreply.github.com&gt;
diff --git a/hyperbrowser/config.py b/hyperbrowser/config.py
@@ -188,6 +188,8 @@ def normalize_base_url(base_url: str) -> str:
             or not isinstance(parsed_base_url_port, int)
         ):
             raise HyperbrowserError("base_url parser returned invalid URL components")
+        if parsed_base_url_port is not None and not (0 <= parsed_base_url_port <= 65535):
+            raise HyperbrowserError("base_url parser returned invalid URL components")
 
         decoded_base_path = ClientConfig._decode_url_component_with_limit(
             parsed_base_url_path, component_label="base_url path"
diff --git a/tests/test_config.py b/tests/test_config.py
@@ -644,6 +644,56 @@ def port(self):
         ClientConfig.normalize_base_url("https://example.local")
 
 
+def test_client_config_normalize_base_url_rejects_out_of_range_port_values(
+    monkeypatch: pytest.MonkeyPatch,
+):
+    class _ParsedURL:
+        scheme = "https"
+        netloc = "example.local"
+        hostname = "example.local"
+        query = ""
+        fragment = ""
+        username = None
+        password = None
+        path = "/api"
+
+        @property
+        def port(self) -> int:
+            return 70000
+
+    monkeypatch.setattr(config_module, "urlparse", lambda _value: _ParsedURL())
+
+    with pytest.raises(
+        HyperbrowserError, match="base_url parser returned invalid URL components"
+    ):
+        ClientConfig.normalize_base_url("https://example.local")
+
+
+def test_client_config_normalize_base_url_rejects_negative_port_values(
+    monkeypatch: pytest.MonkeyPatch,
+):
+    class _ParsedURL:
+        scheme = "https"
+        netloc = "example.local"
+        hostname = "example.local"
+        query = ""
+        fragment = ""
+        username = None
+        password = None
+        path = "/api"
+
+        @property
+        def port(self) -> int:
+            return -1
+
+    monkeypatch.setattr(config_module, "urlparse", lambda _value: _ParsedURL())
+
+    with pytest.raises(
+        HyperbrowserError, match="base_url parser returned invalid URL components"
+    ):
+        ClientConfig.normalize_base_url("https://example.local")
+
+
 def test_client_config_normalize_base_url_wraps_hostname_access_errors(
     monkeypatch: pytest.MonkeyPatch,
 ):
