From 44b11025fb0772a6c19b31164e2269a32b69bd2a Mon Sep 17 00:00:00 2001
From: O V E R T R U E <overtrue@overtruedeMac-mini.local>
Date: Sun, 31 May 2026 22:03:59 +0800
Subject: [PATCH] fix: reject alias endpoints with path components

---
 crates/core/src/alias.rs | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/crates/core/src/alias.rs b/crates/core/src/alias.rs
index ebaabf2..cafef44 100644
--- a/crates/core/src/alias.rs
+++ b/crates/core/src/alias.rs
@@ -387,6 +387,12 @@ fn validate_http_endpoint_url(url: &Url, label: &str) -> Result<()> {
         return Err(Error::Config(format!("{label} must include a host")));
     }
 
+    if !matches!(url.path(), "" | "/") || url.query().is_some() || url.fragment().is_some() {
+        return Err(Error::Config(format!(
+            "{label} must not include a non-root path, query, or fragment"
+        )));
+    }
+
     Ok(())
 }
 
@@ -675,6 +681,25 @@ mod tests {
         );
     }
 
+    #[test]
+    fn test_validate_alias_endpoint_rejects_path_query_and_fragment() {
+        for endpoint in [
+            "http://localhost:9000/api",
+            "http://localhost:9000?region=us-east-1",
+            "http://localhost:9000#alias",
+        ] {
+            let result = validate_alias_endpoint(endpoint);
+
+            assert!(result.is_err(), "endpoint should be rejected: {endpoint}");
+            assert!(
+                result
+                    .unwrap_err()
+                    .to_string()
+                    .contains("Endpoint must not include a non-root path, query, or fragment")
+            );
+        }
+    }
+
     #[test]
     fn test_validate_alias_endpoint_accepts_http_url_with_host() {
         validate_alias_endpoint("http://localhost:9000").unwrap();