test: e2e HTTP analyzer → reporter regression tests#58
Merged
Conversation
Add 3 end-to-end tests that drive HttpAnalyzer with C1 CSI (U+009B) injection and verify the full reporter pipeline escapes dangerous bytes. Key finding during issue validation: httparse rejects C0 control bytes (including ESC 0x1b) in URIs and header values, but accepts C1 codepoints because their UTF-8 encoding (0xC2 0x9B) uses high bytes. C1 CSI is the real injection vector through the HTTP analyzer. Tests added: - test_http_finding_c1_csi_escaped_by_terminal_reporter - test_http_finding_c1_csi_in_json_reporter - test_http_analyzer_summary_c1_csi_escaped_by_terminal_reporter Closes #56
RFC 8259 only mandates escaping C0 (U+0000-U+001F). serde_json also escapes DEL (U+007F) as an implementation choice, not per RFC mandate.
There was a problem hiding this comment.
Pull request overview
Adds end-to-end regression coverage for ADR 0003’s “raw in data layer, escape at render time” contract specifically on the real HttpAnalyzer::on_data path, focusing on the viable C1 control-code injection vector (U+009B CSI) that survives httparse parsing.
Changes:
- Add 3 e2e tests that feed crafted HTTP requests into
HttpAnalyzer::on_dataand validate reporter behavior. - Assert terminal output escapes C1 CSI (no raw
0xC2 0x9Bbytes) for both findings and analyzer summaries. - Assert JSON round-trip preserves the C1 CSI codepoint in
Finding.summary.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
HttpAnalyzer::on_datawith crafted HTTP requests containing C1 CSI (U+009B) injection, then render through bothTerminalReporterandJsonReporter, verifying ADR 0003's output sanitization contract.httparserejects C0 control bytes (including ESC 0x1b) in URIs and header values, but accepts C1 codepoints (U+009B CSI =0xC2 0x9B) because their UTF-8 encoding uses high bytes (≥ 0x80). C1 CSI is the real viable injection vector through the HTTP analyzer.pr-test-analyzerduring the ADR 0003 PR review (feat(reporter): layered output sanitization + ADR 0003 #57).Tests added
test_http_finding_c1_csi_escaped_by_terminal_reportertest_http_finding_c1_csi_in_json_reportertest_http_analyzer_summary_c1_csi_escaped_by_terminal_reporterCloses #56
Test plan
cargo test --test reporter_tests)cargo clippy --all-targetscleancargo fmt --checkclean