Reject control characters in API paths

Co-authored-by: Shri Sukhani <shrisukhani@users.noreply.github.com>

Author: cursoragent

hyperbrowser/client/base.py

@@ -102,6 +102,10 @@ def _build_url(self, path: str) -> str:
             raise HyperbrowserError("path must not contain newline characters")
         if any(character.isspace() for character in decoded_path):
             raise HyperbrowserError("path must not contain whitespace characters")
+        if any(
+            ord(character) < 32 or ord(character) == 127 for character in decoded_path
+        ):
+            raise HyperbrowserError("path must not contain control characters")
         normalized_segments = [
             segment for segment in decoded_path.split("/") if segment
         ]

tests/test_url_building.py

@@ -146,6 +146,10 @@ def test_client_build_url_rejects_empty_or_non_string_paths():
             HyperbrowserError, match="path must not contain whitespace characters"
         ):
             client._build_url("/session name")
+        with pytest.raises(
+            HyperbrowserError, match="path must not contain control characters"
+        ):
+            client._build_url("/session\x00name")
         with pytest.raises(HyperbrowserError, match="path must be a relative API path"):
             client._build_url("https://api.hyperbrowser.ai/session")
         with pytest.raises(HyperbrowserError, match="path must be a relative API path"):
@@ -208,6 +212,10 @@ def test_client_build_url_rejects_empty_or_non_string_paths():
             HyperbrowserError, match="path must not contain whitespace characters"
         ):
             client._build_url("/api/%09segment")
+        with pytest.raises(
+            HyperbrowserError, match="path must not contain control characters"
+        ):
+            client._build_url("/api/%00segment")
     finally:
         client.close()