Reject excessively nested URL encoding in paths and base URLs

Co-authored-by: Shri Sukhani <shrisukhani@users.noreply.github.com>

Author: cursoragent

hyperbrowser/client/base.py

@@ -96,6 +96,8 @@ def _build_url(self, path: str) -> str:
             if next_decoded_path == decoded_path:
                 break
             decoded_path = next_decoded_path
+        else:
+            raise HyperbrowserError("path contains excessively nested URL encoding")
         if "\\" in decoded_path:
             raise HyperbrowserError("path must not contain backslashes")
         if "\n" in decoded_path or "\r" in decoded_path:

hyperbrowser/config.py

@@ -73,6 +73,8 @@ def normalize_base_url(base_url: str) -> str:
             if next_decoded_base_path == decoded_base_path:
                 break
             decoded_base_path = next_decoded_base_path
+        else:
+            raise HyperbrowserError("base_url path contains excessively nested URL encoding")
         if "\\" in decoded_base_path:
             raise HyperbrowserError("base_url must not contain backslashes")
         if any(character.isspace() for character in decoded_base_path):
@@ -98,6 +100,8 @@ def normalize_base_url(base_url: str) -> str:
             if next_decoded_base_netloc == decoded_base_netloc:
                 break
             decoded_base_netloc = next_decoded_base_netloc
+        else:
+            raise HyperbrowserError("base_url host contains excessively nested URL encoding")
         if "\\" in decoded_base_netloc:
             raise HyperbrowserError("base_url host must not contain backslashes")
         if any(character.isspace() for character in decoded_base_netloc):

tests/test_config.py

@@ -1,4 +1,5 @@
 from types import MappingProxyType
+from urllib.parse import quote
 
 import pytest
 
@@ -436,3 +437,13 @@ def test_client_config_normalize_base_url_validates_and_normalizes():
         match="base_url path must not contain encoded query or fragment delimiters",
     ):
         ClientConfig.normalize_base_url("https://example.local/%253Fapi")
+    deeply_encoded_dot = "%2e"
+    for _ in range(11):
+        deeply_encoded_dot = quote(deeply_encoded_dot, safe="")
+    with pytest.raises(
+        HyperbrowserError,
+        match="base_url path contains excessively nested URL encoding",
+    ):
+        ClientConfig.normalize_base_url(
+            f"https://example.local/{deeply_encoded_dot}/api"
+        )

tests/test_url_building.py

@@ -1,4 +1,5 @@
 import pytest
+from urllib.parse import quote
 
 from hyperbrowser import Hyperbrowser
 from hyperbrowser.config import ClientConfig
@@ -142,6 +143,16 @@ def test_client_build_url_rejects_runtime_invalid_base_url_changes():
         ):
             client._build_url("/session")
 
+        deeply_encoded_dot = "%2e"
+        for _ in range(11):
+            deeply_encoded_dot = quote(deeply_encoded_dot, safe="")
+        client.config.base_url = f"https://example.local/{deeply_encoded_dot}/api"
+        with pytest.raises(
+            HyperbrowserError,
+            match="base_url path contains excessively nested URL encoding",
+        ):
+            client._build_url("/session")
+
         client.config.base_url = "https://example.local%2Fapi"
         with pytest.raises(
             HyperbrowserError,
@@ -270,6 +281,13 @@ def test_client_build_url_rejects_empty_or_non_string_paths():
             HyperbrowserError, match="path must not contain encoded fragment delimiters"
         ):
             client._build_url("/api/%23segment")
+        nested_encoded_segment = "%2e"
+        for _ in range(11):
+            nested_encoded_segment = quote(nested_encoded_segment, safe="")
+        with pytest.raises(
+            HyperbrowserError, match="path contains excessively nested URL encoding"
+        ):
+            client._build_url(f"/{nested_encoded_segment}/session")
     finally:
         client.close()