Reject unencoded whitespace and control chars in URL queries

Co-authored-by: Shri Sukhani <shrisukhani@users.noreply.github.com>

Author: cursoragent

hyperbrowser/client/base.py

@@ -88,6 +88,13 @@ def _build_url(self, path: str) -> str:
             raise HyperbrowserError("path must be a relative API path")
         if parsed_path.fragment:
             raise HyperbrowserError("path must not include URL fragments")
+        if any(
+            character.isspace() or ord(character) < 32 or ord(character) == 127
+            for character in parsed_path.query
+        ):
+            raise HyperbrowserError(
+                "path query must not contain unencoded whitespace or control characters"
+            )
         normalized_path = f"/{stripped_path.lstrip('/')}"
         normalized_parts = urlparse(normalized_path)
         normalized_path_only = normalized_parts.path

tests/test_url_building.py

@@ -321,6 +321,16 @@ def test_client_build_url_rejects_empty_or_non_string_paths():
             HyperbrowserError, match="path must not contain encoded fragment delimiters"
         ):
             client._build_url("/api/%23segment")
+        with pytest.raises(
+            HyperbrowserError,
+            match="path query must not contain unencoded whitespace or control characters",
+        ):
+            client._build_url("/session?foo=bar baz")
+        with pytest.raises(
+            HyperbrowserError,
+            match="path query must not contain unencoded whitespace or control characters",
+        ):
+            client._build_url("/session?foo=bar\x00baz")
         nested_encoded_segment = "%2e"
         for _ in range(11):
             nested_encoded_segment = quote(nested_encoded_segment, safe="")