Skip to content

Commit 9c3ef46

Browse files
Reject encoded query and fragment delimiters in API paths
Co-authored-by: Shri Sukhani <shrisukhani@users.noreply.github.com>
1 parent e8df9a0 commit 9c3ef46

2 files changed

Lines changed: 12 additions & 0 deletions

File tree

hyperbrowser/client/base.py

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -106,6 +106,10 @@ def _build_url(self, path: str) -> str:
106106
ord(character) < 32 or ord(character) == 127 for character in decoded_path
107107
):
108108
raise HyperbrowserError("path must not contain control characters")
109+
if "?" in decoded_path:
110+
raise HyperbrowserError("path must not contain encoded query delimiters")
111+
if "#" in decoded_path:
112+
raise HyperbrowserError("path must not contain encoded fragment delimiters")
109113
normalized_segments = [
110114
segment for segment in decoded_path.split("/") if segment
111115
]

tests/test_url_building.py

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -235,6 +235,14 @@ def test_client_build_url_rejects_empty_or_non_string_paths():
235235
HyperbrowserError, match="path must not contain control characters"
236236
):
237237
client._build_url("/api/%00segment")
238+
with pytest.raises(
239+
HyperbrowserError, match="path must not contain encoded query delimiters"
240+
):
241+
client._build_url("/api/%3Fsegment")
242+
with pytest.raises(
243+
HyperbrowserError, match="path must not contain encoded fragment delimiters"
244+
):
245+
client._build_url("/api/%23segment")
238246
finally:
239247
client.close()
240248

0 commit comments

Comments
 (0)