fix(security): URL-encode CLI query parameters to prevent CWE-74 injection

cli_audit.py and cli_leaderboard.py built query strings by
string-interpolating user-supplied CLI args directly into URLs
(e.g. f'agent={args.agent}'). A value like 'foo&admin=true' would
inject extra query parameters into the HTTP request.

Replace manual string concatenation with urllib.parse.urlencode()
which properly percent-encodes all parameter values.

Author: sauravbhattacharya001

sdk/agentlens/cli_audit.py

@@ -166,6 +166,7 @@ def _summary_stats(entries: list[dict]) -> str:
 def cmd_audit(args: Any) -> None:
     """Fetch and display the agent action audit trail."""
     import os
+    import urllib.parse
     import urllib.request
 
     endpoint = (
@@ -178,23 +179,25 @@ def cmd_audit(args: Any) -> None:
     )
     headers = {"x-api-key": api_key}
 
-    params = []
+    # Use urllib.parse.urlencode for proper URL-encoding of parameter
+    # values (CWE-74 — prevents query-string injection via CLI args).
+    params: dict[str, str] = {}
     if getattr(args, "agent", None):
-        params.append(f"agent={args.agent}")
+        params["agent"] = args.agent
     if getattr(args, "action_filter", None):
-        params.append(f"action={args.action_filter}")
+        params["action"] = args.action_filter
     if getattr(args, "severity", None):
-        params.append(f"severity={args.severity}")
+        params["severity"] = args.severity
     if getattr(args, "model", None):
-        params.append(f"model={args.model}")
+        params["model"] = args.model
     if getattr(args, "session", None):
-        params.append(f"session_id={args.session}")
+        params["session_id"] = args.session
     if getattr(args, "since", None):
-        params.append(f"since_hours={args.since}")
+        params["since_hours"] = str(args.since)
     if getattr(args, "limit", None):
-        params.append(f"limit={args.limit}")
+        params["limit"] = str(args.limit)
 
-    qs = ("?" + "&".join(params)) if params else ""
+    qs = ("?" + urllib.parse.urlencode(params)) if params else ""
     url = f"{endpoint}/audit{qs}"
 
     req = urllib.request.Request(url, headers=headers)

sdk/agentlens/cli_leaderboard.py

@@ -39,21 +39,24 @@ def cmd_leaderboard(args: Any) -> None:
 
     base_url, headers = _get_client(args)
 
+    import urllib.parse
     import urllib.request
 
-    params = []
+    # Use urllib.parse.urlencode for proper URL-encoding of parameter
+    # values (CWE-74 — prevents query-string injection via CLI args).
+    params: dict[str, str] = {}
     if args.sort:
-        params.append(f"sort={args.sort}")
+        params["sort"] = args.sort
     if args.days:
-        params.append(f"days={args.days}")
+        params["days"] = str(args.days)
     if args.limit:
-        params.append(f"limit={args.limit}")
+        params["limit"] = str(args.limit)
     if args.min_sessions:
-        params.append(f"min_sessions={args.min_sessions}")
+        params["min_sessions"] = str(args.min_sessions)
     if args.order:
-        params.append(f"order={args.order}")
+        params["order"] = args.order
 
-    qs = ("?" + "&".join(params)) if params else ""
+    qs = ("?" + urllib.parse.urlencode(params)) if params else ""
     url = f"{base_url}/leaderboard{qs}"
 
     req = urllib.request.Request(url, headers=headers)