Sanitize request error method and URL context values

cursoragent · shrisukhani · cursoragent · commit 6539e67d25ee · 2026-02-13T10:41:14.000Z
Co-authored-by: Shri Sukhani &lt;shrisukhani@users.noreply.github.com&gt;
diff --git a/hyperbrowser/transport/error_utils.py b/hyperbrowser/transport/error_utils.py
@@ -1,8 +1,35 @@
 import json
+import re
 from typing import Any
 
 import httpx
 
+_HTTP_METHOD_TOKEN_PATTERN = re.compile(r"^[!#$%&'*+\-.^_`|~0-9A-Z]+$")
+
+
+def _normalize_request_method(method: Any) -> str:
+    if not isinstance(method, str) or not method.strip():
+        return "UNKNOWN"
+    normalized_method = method.strip().upper()
+    if not _HTTP_METHOD_TOKEN_PATTERN.fullmatch(normalized_method):
+        return "UNKNOWN"
+    return normalized_method
+
+
+def _normalize_request_url(url: Any) -> str:
+    if not isinstance(url, str):
+        return "unknown URL"
+    normalized_url = url.strip()
+    if not normalized_url:
+        return "unknown URL"
+    if any(character.isspace() for character in normalized_url):
+        return "unknown URL"
+    if any(
+        ord(character) < 32 or ord(character) == 127 for character in normalized_url
+    ):
+        return "unknown URL"
+    return normalized_url
+
 
 def _stringify_error_value(value: Any, *, _depth: int = 0) -> str:
     if _depth > 10:
@@ -82,19 +109,13 @@ def extract_request_error_context(error: httpx.RequestError) -> tuple[str, str]:
         request_method = request.method
     except Exception:
         request_method = "UNKNOWN"
-    if not isinstance(request_method, str) or not request_method.strip():
-        request_method = "UNKNOWN"
-    else:
-        request_method = request_method.strip().upper()
+    request_method = _normalize_request_method(request_method)
 
     try:
         request_url = str(request.url)
     except Exception:
         request_url = "unknown URL"
-    if not request_url.strip():
-        request_url = "unknown URL"
-    else:
-        request_url = request_url.strip()
+    request_url = _normalize_request_url(request_url)
     return request_method, request_url
 
 
@@ -105,10 +126,8 @@ def format_request_failure_message(
     effective_method = (
         request_method if request_method != "UNKNOWN" else fallback_method
     )
-    if not isinstance(effective_method, str) or not effective_method.strip():
-        effective_method = "UNKNOWN"
+    effective_method = _normalize_request_method(effective_method)
 
     effective_url = request_url if request_url != "unknown URL" else fallback_url
-    if not isinstance(effective_url, str) or not effective_url.strip():
-        effective_url = "unknown URL"
+    effective_url = _normalize_request_url(effective_url)
     return f"Request {effective_method} {effective_url} failed"
diff --git a/tests/test_transport_error_utils.py b/tests/test_transport_error_utils.py
@@ -32,6 +32,16 @@ class _LowercaseMethodRequest:
     url = "https://example.com/lowercase"
 
 
+class _InvalidMethodTokenRequest:
+    method = "GET /invalid"
+    url = "https://example.com/invalid-method"
+
+
+class _WhitespaceInsideUrlRequest:
+    method = "GET"
+    url = "https://example.com/with space"
+
+
 class _RequestErrorWithFailingRequestProperty(httpx.RequestError):
     @property
     def request(self):  # type: ignore[override]
@@ -62,6 +72,18 @@ def request(self):  # type: ignore[override]
         return _LowercaseMethodRequest()
 
 
+class _RequestErrorWithInvalidMethodToken(httpx.RequestError):
+    @property
+    def request(self):  # type: ignore[override]
+        return _InvalidMethodTokenRequest()
+
+
+class _RequestErrorWithWhitespaceInsideUrl(httpx.RequestError):
+    @property
+    def request(self):  # type: ignore[override]
+        return _WhitespaceInsideUrlRequest()
+
+
 class _DummyResponse:
     def __init__(self, json_value, text: str = "") -> None:
         self._json_value = json_value
@@ -123,6 +145,24 @@ def test_extract_request_error_context_normalizes_method_to_uppercase():
     assert url == "https://example.com/lowercase"
 
 
+def test_extract_request_error_context_rejects_invalid_method_tokens():
+    method, url = extract_request_error_context(
+        _RequestErrorWithInvalidMethodToken("network down")
+    )
+
+    assert method == "UNKNOWN"
+    assert url == "https://example.com/invalid-method"
+
+
+def test_extract_request_error_context_rejects_urls_with_whitespace():
+    method, url = extract_request_error_context(
+        _RequestErrorWithWhitespaceInsideUrl("network down")
+    )
+
+    assert method == "GET"
+    assert url == "unknown URL"
+
+
 def test_format_request_failure_message_uses_fallback_values():
     message = format_request_failure_message(
         httpx.RequestError("network down"),
@@ -154,6 +194,16 @@ def test_format_request_failure_message_normalizes_blank_fallback_values():
     assert message == "Request UNKNOWN unknown URL failed"
 
 
+def test_format_request_failure_message_normalizes_lowercase_fallback_method():
+    message = format_request_failure_message(
+        httpx.RequestError("network down"),
+        fallback_method="post",
+        fallback_url="https://example.com/fallback",
+    )
+
+    assert message == "Request POST https://example.com/fallback failed"
+
+
 def test_extract_error_message_handles_recursive_list_payloads():
     recursive_payload = []
     recursive_payload.append(recursive_payload)
