forked from aws/http-desync-guardian
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathedge-cases.yaml
150 lines (142 loc) · 3.66 KB
/
edge-cases.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
#
# Contains edge-cases with two or more violations at the same time,
# to make sure that the most severe one is picked.
#
- name: 'Bad non-essential header does not shadow bad Content-Length'
uri: /foo/bar
method: POST
version: HTTP/1.1
headers:
- name: Some-Custom-Header
value: "Non-Rfc Compliant\x12"
tier: NonCompliant
- name: Content-Length
value: "1000\x11"
tier: Bad
expected:
tier: Severe
reason: BadContentLength
required_message_items:
- "Content-Length"
- "1000\\\\0x11"
- name: 'Bad non-essential header does not shadow bad Transfer-Encoding'
uri: /foo/bar
method: POST
version: HTTP/1.1
headers:
- name: Some-Custom-Header
value: "Non-Rfc Compliant\x11"
tier: NonCompliant
- name: Transfer-Encoding
value: "chunked\x7f"
tier: Bad
expected:
tier: Severe
reason: BadTransferEncoding
required_message_items:
- "Transfer-Encoding"
- "chunked\\\\0x7f"
- name: 'Non-compliant character does not shadow bad character'
uri: /foo/bar
method: PUT
version: HTTP/1.1
headers:
- name: "Some-Custom-Header\t"
value: "\x11\x12 But then \x00 which is bad"
tier: Bad
- name: "Transfer-Encoding\t"
value: "chunked"
tier: NonCompliant
expected:
tier: Severe
reason: BadHeader
required_message_items:
- "Some-Custom-Header"
# escaped invalid character to be printable from C
- "\\\\0x00"
- name: 'Non-compliant customer header does not shadow ambiguous Transfer-Encoding for GET'
uri: /foo/bar
method: GET
version: HTTP/1.1
headers:
- name: Some-Custom-Header
value: "Non Rfc -Compliant\x01"
tier: NonCompliant
- name: Transfer-Encoding
value: chunked
tier: NonCompliant
expected:
tier: Ambiguous
reason: UndefinedTransferEncodingSemantics
required_message_items:
- "Transfer-Encoding"
- name: 'Non-compliant customer header does not shadow ambiguous Content-Length for HEAD'
uri: /foo/bar
method: HEAD
version: HTTP/1.1
headers:
- name: Some-Custom-Header
value: "Non Rfc Compliant\x01"
tier: NonCompliant
- name: Content-Length
value: 9000
tier: NonCompliant
expected:
tier: Ambiguous
reason: UndefinedContentLengthSemantics
required_message_items:
- "Content-Length"
- name: 'Bad header does not shadow other bad headers'
uri: /foo/bar
method: POST
version: HTTP/1.1
headers:
- name: Some-Custom-Header
value: "\x11Rfc Compliant"
tier: NonCompliant
- name: "Transfer-Encoding"
value: "chunked\x80"
tier: Bad
- name: Content-Length
value: "$9000"
tier: Bad
expected:
tier: Severe
reason: BadTransferEncoding
required_message_items:
- "Transfer-Encoding"
- name: 'Bad URI does not shadow essential bad headers'
uri: /foo/bar\t/baz
method: POST
version: HTTP/1.1
headers:
- name: Some-Custom-Header
value: "\x11Rfc Compliant"
tier: NonCompliant
- name: "Transfer-Encoding"
value: "chunked\x80"
tier: Bad
- name: Content-Length
value: "$9000"
tier: Bad
expected:
tier: Severe
reason: BadTransferEncoding
required_message_items:
- "Transfer-Encoding"
- name: 'Bad URI does not shadow essential ambiguous headers'
uri: /foo/bar\t/baz
method: GET
version: HTTP/1.1
headers:
- name: Some-Custom-Header
value: "Non Rfc -Compliant\x01"
tier: NonCompliant
- name: Content-Length
value: 9000
tier: NonCompliant
expected:
tier: Ambiguous
reason: UndefinedContentLengthSemantics
required_message_items:
- "Content-Length"