Defend against multi-encoded unsafe API path segments

Co-authored-by: Shri Sukhani <shrisukhani@users.noreply.github.com>

Author: cursoragent

hyperbrowser/client/base.py

@@ -90,7 +90,12 @@ def _build_url(self, path: str) -> str:
         normalized_query_suffix = (
             f"?{normalized_parts.query}" if normalized_parts.query else ""
         )
-        decoded_path = unquote(normalized_path_only)
+        decoded_path = normalized_path_only
+        for _ in range(3):
+            next_decoded_path = unquote(decoded_path)
+            if next_decoded_path == decoded_path:
+                break
+            decoded_path = next_decoded_path
         if "\\" in decoded_path:
             raise HyperbrowserError("path must not contain backslashes")
         if "\n" in decoded_path or "\r" in decoded_path:

tests/test_url_building.py

@@ -162,14 +162,26 @@ def test_client_build_url_rejects_empty_or_non_string_paths():
             HyperbrowserError, match="path must not contain relative path segments"
         ):
             client._build_url("/api/%2E/session")
+        with pytest.raises(
+            HyperbrowserError, match="path must not contain relative path segments"
+        ):
+            client._build_url("/%252e%252e/session")
         with pytest.raises(
             HyperbrowserError, match="path must not contain backslashes"
         ):
             client._build_url("/api/%5Csession")
+        with pytest.raises(
+            HyperbrowserError, match="path must not contain backslashes"
+        ):
+            client._build_url("/api/%255Csession")
         with pytest.raises(
             HyperbrowserError, match="path must not contain newline characters"
         ):
             client._build_url("/api/%0Asegment")
+        with pytest.raises(
+            HyperbrowserError, match="path must not contain newline characters"
+        ):
+            client._build_url("/api/%250Asegment")
     finally:
         client.close()