Reject newline characters in internal URL path inputs

cursoragent · shrisukhani · cursoragent · commit 2b7628f24f2c · 2026-02-13T07:44:14.000Z
Co-authored-by: Shri Sukhani &lt;shrisukhani@users.noreply.github.com&gt;
diff --git a/hyperbrowser/client/base.py b/hyperbrowser/client/base.py
@@ -80,6 +80,8 @@ def _build_url(self, path: str) -> str:
             raise HyperbrowserError("path must not be empty")
         if "\\" in stripped_path:
             raise HyperbrowserError("path must not contain backslashes")
+        if "\n" in stripped_path or "\r" in stripped_path:
+            raise HyperbrowserError("path must not contain newline characters")
         parsed_path = urlparse(stripped_path)
         if parsed_path.scheme:
             raise HyperbrowserError("path must be a relative API path")
diff --git a/tests/test_url_building.py b/tests/test_url_building.py
@@ -91,6 +91,10 @@ def test_client_build_url_rejects_empty_or_non_string_paths():
             HyperbrowserError, match="path must not contain backslashes"
         ):
             client._build_url(r"\\session")
+        with pytest.raises(
+            HyperbrowserError, match="path must not contain newline characters"
+        ):
+            client._build_url("/session\nnext")
         with pytest.raises(HyperbrowserError, match="path must be a relative API path"):
             client._build_url("https://api.hyperbrowser.ai/session")
         with pytest.raises(HyperbrowserError, match="path must be a relative API path"):
