Reject string-subclass request method and URL values

cursoragent · shrisukhani · cursoragent · commit e425a347e269 · 2026-02-14T03:03:24.000Z
Co-authored-by: Shri Sukhani &lt;shrisukhani@users.noreply.github.com&gt;
diff --git a/hyperbrowser/transport/error_utils.py b/hyperbrowser/transport/error_utils.py
@@ -106,7 +106,7 @@ def _normalize_request_method(method: Any) -> str:
         except Exception:
             return "UNKNOWN"
     try:
-        if not isinstance(raw_method, str):
+        if type(raw_method) is not str:
             return "UNKNOWN"
         stripped_method = raw_method.strip()
         if type(stripped_method) is not str or not stripped_method:
@@ -152,6 +152,8 @@ def _normalize_request_url(url: Any) -> str:
             return "unknown URL"
 
     try:
+        if type(raw_url) is not str:
+            return "unknown URL"
         normalized_url = raw_url.strip()
         if type(normalized_url) is not str or not normalized_url:
             return "unknown URL"
diff --git a/tests/test_transport_error_utils.py b/tests/test_transport_error_utils.py
@@ -316,6 +316,14 @@ class _MessageStringSubclass(str):
     pass
 
 
+class _MethodStringSubclass(str):
+    pass
+
+
+class _UrlStringSubclass(str):
+    pass
+
+
 def test_extract_request_error_context_uses_unknown_when_request_unset():
     method, url = extract_request_error_context(httpx.RequestError("network down"))
 
@@ -699,6 +707,15 @@ def test_format_generic_request_failure_message_supports_url_like_values():
     assert message == "Request GET https://example.com/path failed"
 
 
+def test_format_generic_request_failure_message_rejects_string_subclass_url_values():
+    message = format_generic_request_failure_message(
+        method="GET",
+        url=_UrlStringSubclass("https://example.com/path"),
+    )
+
+    assert message == "Request GET unknown URL failed"
+
+
 def test_format_generic_request_failure_message_supports_utf8_memoryview_urls():
     message = format_generic_request_failure_message(
         method="GET",
@@ -765,6 +782,15 @@ def __str__(self) -> str:
     assert message == "Request DELETE https://example.com/path failed"
 
 
+def test_format_generic_request_failure_message_rejects_string_subclass_method_values():
+    message = format_generic_request_failure_message(
+        method=_MethodStringSubclass("delete"),
+        url="https://example.com/path",
+    )
+
+    assert message == "Request UNKNOWN https://example.com/path failed"
+
+
 def test_format_generic_request_failure_message_supports_memoryview_method_values():
     message = format_generic_request_failure_message(
         method=memoryview(b"patch"),
