Cap request method length in error context normalization

cursoragent · shrisukhani · cursoragent · commit 7bb133b39e3e · 2026-02-13T11:09:08.000Z
Co-authored-by: Shri Sukhani &lt;shrisukhani@users.noreply.github.com&gt;
diff --git a/hyperbrowser/transport/error_utils.py b/hyperbrowser/transport/error_utils.py
@@ -7,12 +7,15 @@
 _HTTP_METHOD_TOKEN_PATTERN = re.compile(r"^[!#$%&'*+\-.^_`|~0-9A-Z]+$")
 _MAX_ERROR_MESSAGE_LENGTH = 2000
 _MAX_REQUEST_URL_DISPLAY_LENGTH = 1000
+_MAX_REQUEST_METHOD_LENGTH = 50
 
 
 def _normalize_request_method(method: Any) -> str:
     if not isinstance(method, str) or not method.strip():
         return "UNKNOWN"
     normalized_method = method.strip().upper()
+    if len(normalized_method) > _MAX_REQUEST_METHOD_LENGTH:
+        return "UNKNOWN"
     if not _HTTP_METHOD_TOKEN_PATTERN.fullmatch(normalized_method):
         return "UNKNOWN"
     return normalized_method
diff --git a/tests/test_transport_error_utils.py b/tests/test_transport_error_utils.py
@@ -32,6 +32,11 @@ class _LowercaseMethodRequest:
     url = "https://example.com/lowercase"
 
 
+class _TooLongMethodRequest:
+    method = "A" * 51
+    url = "https://example.com/too-long-method"
+
+
 class _InvalidMethodTokenRequest:
     method = "GET /invalid"
     url = "https://example.com/invalid-method"
@@ -72,6 +77,12 @@ def request(self):  # type: ignore[override]
         return _LowercaseMethodRequest()
 
 
+class _RequestErrorWithTooLongMethod(httpx.RequestError):
+    @property
+    def request(self):  # type: ignore[override]
+        return _TooLongMethodRequest()
+
+
 class _RequestErrorWithInvalidMethodToken(httpx.RequestError):
     @property
     def request(self):  # type: ignore[override]
@@ -145,6 +156,15 @@ def test_extract_request_error_context_normalizes_method_to_uppercase():
     assert url == "https://example.com/lowercase"
 
 
+def test_extract_request_error_context_rejects_overlong_methods():
+    method, url = extract_request_error_context(
+        _RequestErrorWithTooLongMethod("network down")
+    )
+
+    assert method == "UNKNOWN"
+    assert url == "https://example.com/too-long-method"
+
+
 def test_extract_request_error_context_rejects_invalid_method_tokens():
     method, url = extract_request_error_context(
         _RequestErrorWithInvalidMethodToken("network down")
@@ -204,6 +224,16 @@ def test_format_request_failure_message_normalizes_lowercase_fallback_method():
     assert message == "Request POST https://example.com/fallback failed"
 
 
+def test_format_request_failure_message_rejects_overlong_fallback_methods():
+    message = format_request_failure_message(
+        httpx.RequestError("network down"),
+        fallback_method="A" * 51,
+        fallback_url="https://example.com/fallback",
+    )
+
+    assert message == "Request UNKNOWN https://example.com/fallback failed"
+
+
 def test_format_request_failure_message_truncates_very_long_fallback_urls():
     very_long_url = "https://example.com/" + ("a" * 1200)
     message = format_request_failure_message(
