Sanitize header names and block newline injection

cursoragent · shrisukhani · cursoragent · commit 3b4d93dfce9e · 2026-02-13T06:49:38.000Z
Co-authored-by: Shri Sukhani &lt;shrisukhani@users.noreply.github.com&gt;
diff --git a/hyperbrowser/config.py b/hyperbrowser/config.py
@@ -36,7 +36,19 @@ def __post_init__(self) -> None:
             for key, value in self.headers.items():
                 if not isinstance(key, str) or not isinstance(value, str):
                     raise HyperbrowserError("headers must be a mapping of string pairs")
-                normalized_headers[key] = value
+                normalized_key = key.strip()
+                if not normalized_key:
+                    raise HyperbrowserError("header names must not be empty")
+                if (
+                    "\n" in normalized_key
+                    or "\r" in normalized_key
+                    or "\n" in value
+                    or "\r" in value
+                ):
+                    raise HyperbrowserError(
+                        "headers must not contain newline characters"
+                    )
+                normalized_headers[normalized_key] = value
             self.headers = normalized_headers
 
     @classmethod
diff --git a/hyperbrowser/transport/async_transport.py b/hyperbrowser/transport/async_transport.py
@@ -17,12 +17,24 @@ def __init__(self, api_key: str, headers: Optional[Mapping[str, str]] = None):
             "User-Agent": f"hyperbrowser-python-sdk/{__version__}",
         }
         if headers:
-            if any(
-                not isinstance(key, str) or not isinstance(value, str)
-                for key, value in headers.items()
-            ):
-                raise HyperbrowserError("headers must be a mapping of string pairs")
-            merged_headers.update(headers)
+            normalized_headers = {}
+            for key, value in headers.items():
+                if not isinstance(key, str) or not isinstance(value, str):
+                    raise HyperbrowserError("headers must be a mapping of string pairs")
+                normalized_key = key.strip()
+                if not normalized_key:
+                    raise HyperbrowserError("header names must not be empty")
+                if (
+                    "\n" in normalized_key
+                    or "\r" in normalized_key
+                    or "\n" in value
+                    or "\r" in value
+                ):
+                    raise HyperbrowserError(
+                        "headers must not contain newline characters"
+                    )
+                normalized_headers[normalized_key] = value
+            merged_headers.update(normalized_headers)
         self.client = httpx.AsyncClient(headers=merged_headers)
         self._closed = False
 
diff --git a/hyperbrowser/transport/sync.py b/hyperbrowser/transport/sync.py
@@ -17,12 +17,24 @@ def __init__(self, api_key: str, headers: Optional[Mapping[str, str]] = None):
             "User-Agent": f"hyperbrowser-python-sdk/{__version__}",
         }
         if headers:
-            if any(
-                not isinstance(key, str) or not isinstance(value, str)
-                for key, value in headers.items()
-            ):
-                raise HyperbrowserError("headers must be a mapping of string pairs")
-            merged_headers.update(headers)
+            normalized_headers = {}
+            for key, value in headers.items():
+                if not isinstance(key, str) or not isinstance(value, str):
+                    raise HyperbrowserError("headers must be a mapping of string pairs")
+                normalized_key = key.strip()
+                if not normalized_key:
+                    raise HyperbrowserError("header names must not be empty")
+                if (
+                    "\n" in normalized_key
+                    or "\r" in normalized_key
+                    or "\n" in value
+                    or "\r" in value
+                ):
+                    raise HyperbrowserError(
+                        "headers must not contain newline characters"
+                    )
+                normalized_headers[normalized_key] = value
+            merged_headers.update(normalized_headers)
         self.client = httpx.Client(headers=merged_headers)
 
     def _handle_response(self, response: httpx.Response) -> APIResponse:
diff --git a/tests/test_config.py b/tests/test_config.py
@@ -142,6 +142,24 @@ def test_client_config_rejects_non_string_header_pairs():
         ClientConfig(api_key="test-key", headers={"X-Correlation-Id": 123})  # type: ignore[dict-item]
 
 
+def test_client_config_rejects_empty_header_name():
+    with pytest.raises(HyperbrowserError, match="header names must not be empty"):
+        ClientConfig(api_key="test-key", headers={"   ": "value"})
+
+
+def test_client_config_rejects_newline_header_values():
+    with pytest.raises(
+        HyperbrowserError, match="headers must not contain newline characters"
+    ):
+        ClientConfig(api_key="test-key", headers={"X-Correlation-Id": "bad\nvalue"})
+
+
+def test_client_config_normalizes_header_name_whitespace():
+    config = ClientConfig(api_key="test-key", headers={"  X-Correlation-Id  ": "value"})
+
+    assert config.headers == {"X-Correlation-Id": "value"}
+
+
 def test_client_config_accepts_mapping_header_inputs():
     headers = MappingProxyType({"X-Correlation-Id": "abc123"})
     config = ClientConfig(api_key="test-key", headers=headers)
diff --git a/tests/test_custom_headers.py b/tests/test_custom_headers.py
@@ -28,6 +28,18 @@ def test_sync_transport_rejects_non_string_header_pairs():
         SyncTransport(api_key="test-key", headers={"X-Correlation-Id": 123})  # type: ignore[dict-item]
 
 
+def test_sync_transport_rejects_empty_header_name():
+    with pytest.raises(HyperbrowserError, match="header names must not be empty"):
+        SyncTransport(api_key="test-key", headers={"   ": "value"})
+
+
+def test_sync_transport_rejects_header_newline_values():
+    with pytest.raises(
+        HyperbrowserError, match="headers must not contain newline characters"
+    ):
+        SyncTransport(api_key="test-key", headers={"X-Correlation-Id": "bad\nvalue"})
+
+
 def test_async_transport_accepts_custom_headers():
     async def run() -> None:
         transport = AsyncTransport(
@@ -49,6 +61,18 @@ def test_async_transport_rejects_non_string_header_pairs():
         AsyncTransport(api_key="test-key", headers={"X-Correlation-Id": 123})  # type: ignore[dict-item]
 
 
+def test_async_transport_rejects_empty_header_name():
+    with pytest.raises(HyperbrowserError, match="header names must not be empty"):
+        AsyncTransport(api_key="test-key", headers={"   ": "value"})
+
+
+def test_async_transport_rejects_header_newline_values():
+    with pytest.raises(
+        HyperbrowserError, match="headers must not contain newline characters"
+    ):
+        AsyncTransport(api_key="test-key", headers={"X-Correlation-Id": "bad\nvalue"})
+
+
 def test_sync_client_config_headers_are_applied_to_transport():
     client = Hyperbrowser(
         config=ClientConfig(api_key="test-key", headers={"X-Team-Trace": "team-1"})
