Handle bounded nested URL encodings without false positives

Co-authored-by: Shri Sukhani <shrisukhani@users.noreply.github.com>

Author: cursoragent

hyperbrowser/config.py

@@ -42,6 +42,8 @@ def _decode_url_component_with_limit(value: str, *, component_label: str) -> str
             if next_decoded_value == decoded_value:
                 return decoded_value
             decoded_value = next_decoded_value
+        if unquote(decoded_value) == decoded_value:
+            return decoded_value
         raise HyperbrowserError(
             f"{component_label} contains excessively nested URL encoding"
         )
@@ -123,9 +125,14 @@ def normalize_base_url(base_url: str) -> str:
                 break
             decoded_base_netloc = next_decoded_base_netloc
         else:
-            raise HyperbrowserError(
-                "base_url host contains excessively nested URL encoding"
-            )
+            if _ENCODED_HOST_DELIMITER_PATTERN.search(decoded_base_netloc):
+                raise HyperbrowserError(
+                    "base_url host must not contain encoded delimiter characters"
+                )
+            if unquote(decoded_base_netloc) != decoded_base_netloc:
+                raise HyperbrowserError(
+                    "base_url host contains excessively nested URL encoding"
+                )
         if "\\" in decoded_base_netloc:
             raise HyperbrowserError("base_url host must not contain backslashes")
         if any(character.isspace() for character in decoded_base_netloc):

tests/test_config.py

@@ -472,6 +472,15 @@ def test_client_config_normalize_base_url_validates_and_normalizes():
         match="base_url path must not contain encoded query or fragment delimiters",
     ):
         ClientConfig.normalize_base_url("https://example.local/%253Fapi")
+    bounded_encoded_host_label = "%61"
+    for _ in range(9):
+        bounded_encoded_host_label = quote(bounded_encoded_host_label, safe="")
+    assert (
+        ClientConfig.normalize_base_url(
+            f"https://{bounded_encoded_host_label}.example.local"
+        )
+        == f"https://{bounded_encoded_host_label}.example.local"
+    )
     deeply_encoded_dot = "%2e"
     for _ in range(11):
         deeply_encoded_dot = quote(deeply_encoded_dot, safe="")

tests/test_url_building.py

@@ -367,6 +367,21 @@ def test_client_build_url_allows_query_values_containing_absolute_urls():
         client.close()
 
 
+def test_client_build_url_allows_bounded_nested_safe_encoding():
+    client = Hyperbrowser(config=ClientConfig(api_key="test-key"))
+    try:
+        bounded_encoded_segment = "%61"
+        for _ in range(9):
+            bounded_encoded_segment = quote(bounded_encoded_segment, safe="")
+
+        assert (
+            client._build_url(f"/{bounded_encoded_segment}/session")
+            == f"https://api.hyperbrowser.ai/api/{bounded_encoded_segment}/session"
+        )
+    finally:
+        client.close()
+
+
 def test_client_build_url_normalizes_runtime_trailing_slashes():
     client = Hyperbrowser(config=ClientConfig(api_key="test-key"))
     try: