Reject encoded query and fragment delimiters in API paths

cursoragent · shrisukhani · cursoragent · commit 9c3ef46d7b55 · 2026-02-13T10:00:10.000Z
Co-authored-by: Shri Sukhani &lt;shrisukhani@users.noreply.github.com&gt;
diff --git a/hyperbrowser/client/base.py b/hyperbrowser/client/base.py
@@ -106,6 +106,10 @@ def _build_url(self, path: str) -> str:
             ord(character) < 32 or ord(character) == 127 for character in decoded_path
         ):
             raise HyperbrowserError("path must not contain control characters")
+        if "?" in decoded_path:
+            raise HyperbrowserError("path must not contain encoded query delimiters")
+        if "#" in decoded_path:
+            raise HyperbrowserError("path must not contain encoded fragment delimiters")
         normalized_segments = [
             segment for segment in decoded_path.split("/") if segment
         ]
diff --git a/tests/test_url_building.py b/tests/test_url_building.py
@@ -235,6 +235,14 @@ def test_client_build_url_rejects_empty_or_non_string_paths():
             HyperbrowserError, match="path must not contain control characters"
         ):
             client._build_url("/api/%00segment")
+        with pytest.raises(
+            HyperbrowserError, match="path must not contain encoded query delimiters"
+        ):
+            client._build_url("/api/%3Fsegment")
+        with pytest.raises(
+            HyperbrowserError, match="path must not contain encoded fragment delimiters"
+        ):
+            client._build_url("/api/%23segment")
     finally:
         client.close()
 
