Skip to content

Commit e425a34

Browse files
Reject string-subclass request method and URL values
Co-authored-by: Shri Sukhani <shrisukhani@users.noreply.github.com>
1 parent e016ecb commit e425a34

File tree

2 files changed

+29
-1
lines changed

2 files changed

+29
-1
lines changed

hyperbrowser/transport/error_utils.py

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -106,7 +106,7 @@ def _normalize_request_method(method: Any) -> str:
106106
except Exception:
107107
return "UNKNOWN"
108108
try:
109-
if not isinstance(raw_method, str):
109+
if type(raw_method) is not str:
110110
return "UNKNOWN"
111111
stripped_method = raw_method.strip()
112112
if type(stripped_method) is not str or not stripped_method:
@@ -152,6 +152,8 @@ def _normalize_request_url(url: Any) -> str:
152152
return "unknown URL"
153153

154154
try:
155+
if type(raw_url) is not str:
156+
return "unknown URL"
155157
normalized_url = raw_url.strip()
156158
if type(normalized_url) is not str or not normalized_url:
157159
return "unknown URL"

tests/test_transport_error_utils.py

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -316,6 +316,14 @@ class _MessageStringSubclass(str):
316316
pass
317317

318318

319+
class _MethodStringSubclass(str):
320+
pass
321+
322+
323+
class _UrlStringSubclass(str):
324+
pass
325+
326+
319327
def test_extract_request_error_context_uses_unknown_when_request_unset():
320328
method, url = extract_request_error_context(httpx.RequestError("network down"))
321329

@@ -699,6 +707,15 @@ def test_format_generic_request_failure_message_supports_url_like_values():
699707
assert message == "Request GET https://example.com/path failed"
700708

701709

710+
def test_format_generic_request_failure_message_rejects_string_subclass_url_values():
711+
message = format_generic_request_failure_message(
712+
method="GET",
713+
url=_UrlStringSubclass("https://example.com/path"),
714+
)
715+
716+
assert message == "Request GET unknown URL failed"
717+
718+
702719
def test_format_generic_request_failure_message_supports_utf8_memoryview_urls():
703720
message = format_generic_request_failure_message(
704721
method="GET",
@@ -765,6 +782,15 @@ def __str__(self) -> str:
765782
assert message == "Request DELETE https://example.com/path failed"
766783

767784

785+
def test_format_generic_request_failure_message_rejects_string_subclass_method_values():
786+
message = format_generic_request_failure_message(
787+
method=_MethodStringSubclass("delete"),
788+
url="https://example.com/path",
789+
)
790+
791+
assert message == "Request UNKNOWN https://example.com/path failed"
792+
793+
768794
def test_format_generic_request_failure_message_supports_memoryview_method_values():
769795
message = format_generic_request_failure_message(
770796
method=memoryview(b"patch"),

0 commit comments

Comments
 (0)