Reject encoded backslashes and newlines in API paths

Co-authored-by: Shri Sukhani <shrisukhani@users.noreply.github.com>

Author: cursoragent

hyperbrowser/client/base.py

@@ -91,6 +91,10 @@ def _build_url(self, path: str) -> str:
             f"?{normalized_parts.query}" if normalized_parts.query else ""
         )
         decoded_path = unquote(normalized_path_only)
+        if "\\" in decoded_path:
+            raise HyperbrowserError("path must not contain backslashes")
+        if "\n" in decoded_path or "\r" in decoded_path:
+            raise HyperbrowserError("path must not contain newline characters")
         normalized_segments = [
             segment for segment in decoded_path.split("/") if segment
         ]

tests/test_url_building.py

@@ -156,6 +156,14 @@ def test_client_build_url_rejects_empty_or_non_string_paths():
             HyperbrowserError, match="path must not contain relative path segments"
         ):
             client._build_url("/api/%2E/session")
+        with pytest.raises(
+            HyperbrowserError, match="path must not contain backslashes"
+        ):
+            client._build_url("/api/%5Csession")
+        with pytest.raises(
+            HyperbrowserError, match="path must not contain newline characters"
+        ):
+            client._build_url("/api/%0Asegment")
     finally:
         client.close()