Skip to content

Commit c915367

Browse files
cursoragentshrisukhani
cursoragent
and
shrisukhani
committed
Reject newline characters in base URL normalization
Co-authored-by: Shri Sukhani <shrisukhani@users.noreply.github.com>
1 parent 569e065 commit c915367

3 files changed

Lines changed: 18 additions & 0 deletions

File tree

hyperbrowser/config.py

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,8 @@ def normalize_base_url(base_url: str) -> str:
3434
normalized_base_url = base_url.strip().rstrip("/")
3535
if not normalized_base_url:
3636
raise HyperbrowserError("base_url must not be empty")
37+
if "\n" in normalized_base_url or "\r" in normalized_base_url:
38+
raise HyperbrowserError("base_url must not contain newline characters")
3739

3840
parsed_base_url = urlparse(normalized_base_url)
3941
if (

tests/test_config.py

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -209,6 +209,11 @@ def test_client_config_rejects_empty_or_invalid_base_url():
209209
with pytest.raises(HyperbrowserError, match="must not include query parameters"):
210210
ClientConfig(api_key="test-key", base_url="https://example.local#frag")
211211

212+
with pytest.raises(
213+
HyperbrowserError, match="base_url must not contain newline characters"
214+
):
215+
ClientConfig(api_key="test-key", base_url="https://example.local/\napi")
216+
212217

213218
def test_client_config_normalizes_headers_to_internal_copy():
214219
headers = {"X-Correlation-Id": "abc123"}
@@ -313,3 +318,8 @@ def test_client_config_normalize_base_url_validates_and_normalizes():
313318

314319
with pytest.raises(HyperbrowserError, match="must not include query parameters"):
315320
ClientConfig.normalize_base_url("https://example.local?foo=bar")
321+
322+
with pytest.raises(
323+
HyperbrowserError, match="base_url must not contain newline characters"
324+
):
325+
ClientConfig.normalize_base_url("https://example.local/\napi")

tests/test_url_building.py

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -98,6 +98,12 @@ def test_client_build_url_rejects_runtime_invalid_base_url_changes():
9898
):
9999
client._build_url("/session")
100100

101+
client.config.base_url = "https://example.local/\napi"
102+
with pytest.raises(
103+
HyperbrowserError, match="base_url must not contain newline characters"
104+
):
105+
client._build_url("/session")
106+
101107
client.config.base_url = " "
102108
with pytest.raises(HyperbrowserError, match="base_url must not be empty"):
103109
client._build_url("/session")

0 commit comments

Comments
 (0)