Validate raw query input for unencoded control characters

cursoragent · shrisukhani · cursoragent · commit 13f6f5e89056 · 2026-02-13T11:15:00.000Z
Co-authored-by: Shri Sukhani &lt;shrisukhani@users.noreply.github.com&gt;
diff --git a/hyperbrowser/client/base.py b/hyperbrowser/client/base.py
@@ -88,6 +88,16 @@ def _build_url(self, path: str) -> str:
             raise HyperbrowserError("path must be a relative API path")
         if parsed_path.fragment:
             raise HyperbrowserError("path must not include URL fragments")
+        raw_query_component = (
+            stripped_path.split("?", 1)[1] if "?" in stripped_path else ""
+        )
+        if any(
+            character.isspace() or ord(character) < 32 or ord(character) == 127
+            for character in raw_query_component
+        ):
+            raise HyperbrowserError(
+                "path query must not contain unencoded whitespace or control characters"
+            )
         if any(
             character.isspace() or ord(character) < 32 or ord(character) == 127
             for character in parsed_path.query
diff --git a/tests/test_url_building.py b/tests/test_url_building.py
@@ -329,6 +329,11 @@ def test_client_build_url_rejects_empty_or_non_string_paths():
         with pytest.raises(
             HyperbrowserError,
             match="path query must not contain unencoded whitespace or control characters",
+        ):
+            client._build_url("/session?foo=bar\tbaz")
+        with pytest.raises(
+            HyperbrowserError,
+            match="path query must not contain unencoded whitespace or control characters",
         ):
             client._build_url("/session?foo=bar\x00baz")
         nested_encoded_segment = "%2e"
