Harden api_key empty-check length boundaries across config and clients

cursoragent · shrisukhani · cursoragent · commit ba0324c542bc · 2026-02-14T01:36:35.000Z
Co-authored-by: Shri Sukhani &lt;shrisukhani@users.noreply.github.com&gt;
diff --git a/hyperbrowser/client/base.py b/hyperbrowser/client/base.py
@@ -49,7 +49,16 @@ def __init__(
                     "Failed to normalize api_key",
                     original_error=exc,
                 ) from exc
-            if not normalized_resolved_api_key:
+            try:
+                is_empty_api_key = len(normalized_resolved_api_key) == 0
+            except HyperbrowserError:
+                raise
+            except Exception as exc:
+                raise HyperbrowserError(
+                    "Failed to normalize api_key",
+                    original_error=exc,
+                ) from exc
+            if is_empty_api_key:
                 if api_key_from_constructor:
                     raise HyperbrowserError("api_key must not be empty")
                 raise HyperbrowserError(
diff --git a/hyperbrowser/config.py b/hyperbrowser/config.py
@@ -45,7 +45,16 @@ def normalize_api_key(
                 "Failed to normalize api_key",
                 original_error=exc,
             ) from exc
-        if not normalized_api_key:
+        try:
+            is_empty_api_key = len(normalized_api_key) == 0
+        except HyperbrowserError:
+            raise
+        except Exception as exc:
+            raise HyperbrowserError(
+                "Failed to normalize api_key",
+                original_error=exc,
+            ) from exc
+        if is_empty_api_key:
             raise HyperbrowserError(empty_error_message)
         try:
             contains_control_character = any(
diff --git a/hyperbrowser/transport/base.py b/hyperbrowser/transport/base.py
@@ -79,7 +79,16 @@ def _normalize_transport_api_key(api_key: str) -> str:
             original_error=exc,
         ) from exc
 
-    if not normalized_api_key:
+    try:
+        is_empty_api_key = len(normalized_api_key) == 0
+    except HyperbrowserError:
+        raise
+    except Exception as exc:
+        raise HyperbrowserError(
+            "Failed to normalize api_key",
+            original_error=exc,
+        ) from exc
+    if is_empty_api_key:
         raise HyperbrowserError("api_key must not be empty")
 
     try:
diff --git a/tests/test_client_api_key.py b/tests/test_client_api_key.py
@@ -237,3 +237,39 @@ def strip(self, chars=None):  # type: ignore[override]
         client_class(api_key=_NonStringStripResultApiKey("test-key"))
 
     assert isinstance(exc_info.value.original_error, TypeError)
+
+
+@pytest.mark.parametrize("client_class", [Hyperbrowser, AsyncHyperbrowser])
+def test_client_wraps_api_key_empty_check_length_failures(client_class):
+    class _BrokenLengthApiKey(str):
+        class _NormalizedKey(str):
+            def __len__(self):
+                raise RuntimeError("api key length exploded")
+
+        def strip(self, chars=None):  # type: ignore[override]
+            _ = chars
+            return self._NormalizedKey("test-key")
+
+    with pytest.raises(HyperbrowserError, match="Failed to normalize api_key") as exc_info:
+        client_class(api_key=_BrokenLengthApiKey("test-key"))
+
+    assert isinstance(exc_info.value.original_error, RuntimeError)
+
+
+@pytest.mark.parametrize("client_class", [Hyperbrowser, AsyncHyperbrowser])
+def test_client_preserves_hyperbrowser_api_key_empty_check_length_failures(
+    client_class,
+):
+    class _BrokenLengthApiKey(str):
+        class _NormalizedKey(str):
+            def __len__(self):
+                raise HyperbrowserError("custom length failure")
+
+        def strip(self, chars=None):  # type: ignore[override]
+            _ = chars
+            return self._NormalizedKey("test-key")
+
+    with pytest.raises(HyperbrowserError, match="custom length failure") as exc_info:
+        client_class(api_key=_BrokenLengthApiKey("test-key"))
+
+    assert exc_info.value.original_error is None
diff --git a/tests/test_config.py b/tests/test_config.py
@@ -383,6 +383,38 @@ def strip(self, chars=None):  # type: ignore[override]
     assert isinstance(exc_info.value.original_error, TypeError)
 
 
+def test_client_config_wraps_api_key_empty_check_length_failures():
+    class _BrokenApiKey(str):
+        class _NormalizedKey(str):
+            def __len__(self):
+                raise RuntimeError("api key length exploded")
+
+        def strip(self, chars=None):  # type: ignore[override]
+            _ = chars
+            return self._NormalizedKey("test-key")
+
+    with pytest.raises(HyperbrowserError, match="Failed to normalize api_key") as exc_info:
+        ClientConfig(api_key=_BrokenApiKey("test-key"))
+
+    assert isinstance(exc_info.value.original_error, RuntimeError)
+
+
+def test_client_config_preserves_hyperbrowser_api_key_empty_check_length_failures():
+    class _BrokenApiKey(str):
+        class _NormalizedKey(str):
+            def __len__(self):
+                raise HyperbrowserError("custom length failure")
+
+        def strip(self, chars=None):  # type: ignore[override]
+            _ = chars
+            return self._NormalizedKey("test-key")
+
+    with pytest.raises(HyperbrowserError, match="custom length failure") as exc_info:
+        ClientConfig(api_key=_BrokenApiKey("test-key"))
+
+    assert exc_info.value.original_error is None
+
+
 def test_client_config_wraps_api_key_iteration_runtime_errors():
     class _BrokenApiKey(str):
         def strip(self, chars=None):  # type: ignore[override]
diff --git a/tests/test_transport_api_key.py b/tests/test_transport_api_key.py
@@ -62,6 +62,42 @@ def __iter__(self):
     assert isinstance(exc_info.value.original_error, RuntimeError)
 
 
+@pytest.mark.parametrize("transport_class", [SyncTransport, AsyncTransport])
+def test_transport_wraps_api_key_empty_check_length_failures(transport_class):
+    class _BrokenLengthApiKey(str):
+        class _NormalizedKey(str):
+            def __len__(self):
+                raise RuntimeError("api key length exploded")
+
+        def strip(self, chars=None):  # type: ignore[override]
+            _ = chars
+            return self._NormalizedKey("test-key")
+
+    with pytest.raises(HyperbrowserError, match="Failed to normalize api_key") as exc_info:
+        transport_class(api_key=_BrokenLengthApiKey("test-key"))
+
+    assert isinstance(exc_info.value.original_error, RuntimeError)
+
+
+@pytest.mark.parametrize("transport_class", [SyncTransport, AsyncTransport])
+def test_transport_preserves_hyperbrowser_api_key_empty_check_length_failures(
+    transport_class,
+):
+    class _BrokenLengthApiKey(str):
+        class _NormalizedKey(str):
+            def __len__(self):
+                raise HyperbrowserError("custom length failure")
+
+        def strip(self, chars=None):  # type: ignore[override]
+            _ = chars
+            return self._NormalizedKey("test-key")
+
+    with pytest.raises(HyperbrowserError, match="custom length failure") as exc_info:
+        transport_class(api_key=_BrokenLengthApiKey("test-key"))
+
+    assert exc_info.value.original_error is None
+
+
 @pytest.mark.parametrize("transport_class", [SyncTransport, AsyncTransport])
 def test_transport_preserves_hyperbrowser_api_key_character_iteration_failures(
     transport_class,
