Reject API keys containing control characters

Co-authored-by: Shri Sukhani <shrisukhani@users.noreply.github.com>

Author: cursoragent

hyperbrowser/config.py

@@ -21,6 +21,10 @@ def __post_init__(self) -> None:
         self.api_key = self.api_key.strip()
         if not self.api_key:
             raise HyperbrowserError("api_key must not be empty")
+        if any(
+            ord(character) < 32 or ord(character) == 127 for character in self.api_key
+        ):
+            raise HyperbrowserError("api_key must not contain control characters")
         self.base_url = self.normalize_base_url(self.base_url)
         self.headers = normalize_headers(
             self.headers,
@@ -74,7 +78,9 @@ def normalize_base_url(base_url: str) -> str:
                 break
             decoded_base_path = next_decoded_base_path
         else:
-            raise HyperbrowserError("base_url path contains excessively nested URL encoding")
+            raise HyperbrowserError(
+                "base_url path contains excessively nested URL encoding"
+            )
         if "\\" in decoded_base_path:
             raise HyperbrowserError("base_url must not contain backslashes")
         if any(character.isspace() for character in decoded_base_path):
@@ -101,7 +107,9 @@ def normalize_base_url(base_url: str) -> str:
                 break
             decoded_base_netloc = next_decoded_base_netloc
         else:
-            raise HyperbrowserError("base_url host contains excessively nested URL encoding")
+            raise HyperbrowserError(
+                "base_url host contains excessively nested URL encoding"
+            )
         if "\\" in decoded_base_netloc:
             raise HyperbrowserError("base_url host must not contain backslashes")
         if any(character.isspace() for character in decoded_base_netloc):

hyperbrowser/transport/async_transport.py

@@ -22,6 +22,11 @@ def __init__(self, api_key: str, headers: Optional[Mapping[str, str]] = None):
         normalized_api_key = api_key.strip()
         if not normalized_api_key:
             raise HyperbrowserError("api_key must not be empty")
+        if any(
+            ord(character) < 32 or ord(character) == 127
+            for character in normalized_api_key
+        ):
+            raise HyperbrowserError("api_key must not contain control characters")
         merged_headers = merge_headers(
             {
                 "x-api-key": normalized_api_key,

hyperbrowser/transport/sync.py

@@ -22,6 +22,11 @@ def __init__(self, api_key: str, headers: Optional[Mapping[str, str]] = None):
         normalized_api_key = api_key.strip()
         if not normalized_api_key:
             raise HyperbrowserError("api_key must not be empty")
+        if any(
+            ord(character) < 32 or ord(character) == 127
+            for character in normalized_api_key
+        ):
+            raise HyperbrowserError("api_key must not contain control characters")
         merged_headers = merge_headers(
             {
                 "x-api-key": normalized_api_key,

tests/test_client_api_key.py

@@ -76,3 +76,17 @@ def test_async_client_rejects_blank_constructor_api_key(monkeypatch):
 
     with pytest.raises(HyperbrowserError, match="api_key must not be empty"):
         AsyncHyperbrowser(api_key="\t")
+
+
+def test_sync_client_rejects_control_character_api_key():
+    with pytest.raises(
+        HyperbrowserError, match="api_key must not contain control characters"
+    ):
+        Hyperbrowser(api_key="bad\nkey")
+
+
+def test_async_client_rejects_control_character_api_key():
+    with pytest.raises(
+        HyperbrowserError, match="api_key must not contain control characters"
+    ):
+        AsyncHyperbrowser(api_key="bad\nkey")

tests/test_config.py

@@ -195,6 +195,10 @@ def test_client_config_rejects_non_string_values():
 
     with pytest.raises(HyperbrowserError, match="api_key must not be empty"):
         ClientConfig(api_key="   ")
+    with pytest.raises(
+        HyperbrowserError, match="api_key must not contain control characters"
+    ):
+        ClientConfig(api_key="bad\nkey")
 
 
 def test_client_config_rejects_empty_or_invalid_base_url():

tests/test_custom_headers.py

@@ -33,6 +33,10 @@ def test_sync_transport_rejects_invalid_api_key_values():
         SyncTransport(api_key=None)  # type: ignore[arg-type]
     with pytest.raises(HyperbrowserError, match="api_key must not be empty"):
         SyncTransport(api_key="   ")
+    with pytest.raises(
+        HyperbrowserError, match="api_key must not contain control characters"
+    ):
+        SyncTransport(api_key="bad\nkey")
 
 
 def test_sync_transport_rejects_empty_header_name():
@@ -88,6 +92,10 @@ def test_async_transport_rejects_invalid_api_key_values():
         AsyncTransport(api_key=None)  # type: ignore[arg-type]
     with pytest.raises(HyperbrowserError, match="api_key must not be empty"):
         AsyncTransport(api_key="   ")
+    with pytest.raises(
+        HyperbrowserError, match="api_key must not contain control characters"
+    ):
+        AsyncTransport(api_key="bad\nkey")
 
 
 def test_async_transport_rejects_empty_header_name():