Block percent-encoded path traversal segments

Co-authored-by: Shri Sukhani <shrisukhani@users.noreply.github.com>

Author: cursoragent

hyperbrowser/client/base.py

@@ -1,5 +1,5 @@
 import os
-from urllib.parse import urlparse
+from urllib.parse import unquote, urlparse
 from typing import Mapping, Optional, Type, Union
 
 from hyperbrowser.exceptions import HyperbrowserError
@@ -90,8 +90,9 @@ def _build_url(self, path: str) -> str:
         normalized_query_suffix = (
             f"?{normalized_parts.query}" if normalized_parts.query else ""
         )
+        decoded_path = unquote(normalized_path_only)
         normalized_segments = [
-            segment for segment in normalized_path_only.split("/") if segment
+            segment for segment in decoded_path.split("/") if segment
         ]
         if any(segment in {".", ".."} for segment in normalized_segments):
             raise HyperbrowserError("path must not contain relative path segments")

tests/test_url_building.py

@@ -148,6 +148,14 @@ def test_client_build_url_rejects_empty_or_non_string_paths():
             HyperbrowserError, match="path must not contain relative path segments"
         ):
             client._build_url("/api/./session")
+        with pytest.raises(
+            HyperbrowserError, match="path must not contain relative path segments"
+        ):
+            client._build_url("/%2e%2e/session")
+        with pytest.raises(
+            HyperbrowserError, match="path must not contain relative path segments"
+        ):
+            client._build_url("/api/%2E/session")
     finally:
         client.close()