Skip to content

Commit 13f6f5e

Browse files
Validate raw query input for unencoded control characters
Co-authored-by: Shri Sukhani <shrisukhani@users.noreply.github.com>
1 parent d54812b commit 13f6f5e

File tree

2 files changed

+15
-0
lines changed

2 files changed

+15
-0
lines changed

hyperbrowser/client/base.py

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -88,6 +88,16 @@ def _build_url(self, path: str) -> str:
8888
raise HyperbrowserError("path must be a relative API path")
8989
if parsed_path.fragment:
9090
raise HyperbrowserError("path must not include URL fragments")
91+
raw_query_component = (
92+
stripped_path.split("?", 1)[1] if "?" in stripped_path else ""
93+
)
94+
if any(
95+
character.isspace() or ord(character) < 32 or ord(character) == 127
96+
for character in raw_query_component
97+
):
98+
raise HyperbrowserError(
99+
"path query must not contain unencoded whitespace or control characters"
100+
)
91101
if any(
92102
character.isspace() or ord(character) < 32 or ord(character) == 127
93103
for character in parsed_path.query

tests/test_url_building.py

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -329,6 +329,11 @@ def test_client_build_url_rejects_empty_or_non_string_paths():
329329
with pytest.raises(
330330
HyperbrowserError,
331331
match="path query must not contain unencoded whitespace or control characters",
332+
):
333+
client._build_url("/session?foo=bar\tbaz")
334+
with pytest.raises(
335+
HyperbrowserError,
336+
match="path query must not contain unencoded whitespace or control characters",
332337
):
333338
client._build_url("/session?foo=bar\x00baz")
334339
nested_encoded_segment = "%2e"

0 commit comments

Comments
 (0)