Reject backslashes in internal URL path inputs

cursoragent · shrisukhani · cursoragent · commit 700d894b73e9 · 2026-02-13T07:21:33.000Z
Co-authored-by: Shri Sukhani &lt;shrisukhani@users.noreply.github.com&gt;
diff --git a/hyperbrowser/client/base.py b/hyperbrowser/client/base.py
@@ -72,6 +72,8 @@ def _build_url(self, path: str) -> str:
         stripped_path = path.strip()
         if not stripped_path:
             raise HyperbrowserError("path must not be empty")
+        if "\\" in stripped_path:
+            raise HyperbrowserError("path must not contain backslashes")
         parsed_path = urlparse(stripped_path)
         if parsed_path.scheme and parsed_path.netloc:
             raise HyperbrowserError("path must be a relative API path")
diff --git a/tests/test_url_building.py b/tests/test_url_building.py
@@ -49,6 +49,10 @@ def test_client_build_url_rejects_empty_or_non_string_paths():
             client._build_url("   ")
         with pytest.raises(HyperbrowserError, match="path must be a string"):
             client._build_url(123)  # type: ignore[arg-type]
+        with pytest.raises(
+            HyperbrowserError, match="path must not contain backslashes"
+        ):
+            client._build_url(r"\\session")
         with pytest.raises(HyperbrowserError, match="path must be a relative API path"):
             client._build_url("https://api.hyperbrowser.ai/session")
     finally:
