noa-x / noxway ΓΆffentlich
Γ–ffentliche Dateiansicht: Raw-Dateien, Tree, Releases und Issues sind ohne Login verfΓΌgbar.
1Branches 0Tags
main_test.go
ZurΓΌck Raw 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90

package main

import (
	"net/http"
	"testing"
)

// ─── sanitizeHeader ───────────────────────────────────────────────────────────

func TestSanitizeHeader_RemovesCRLF(t *testing.T) {
	cases := []struct {
		input string
		want  string
	}{
		{"normal-value", "normal-value"},
		{"value\r\nX-Injected: evil", "value X-Injected: evil"}, // CRLF removed, spaces preserved after TrimSpace? No β€” let's check
		{"value\nInject: x", "value Inject: x"},
		{"value\rInject", "value Inject"},
		{"has\x00null", "hasnull"},
		{"  padded  ", "padded"},
	}
	for _, tc := range cases {
		got := sanitizeHeader(tc.input)
		// Key properties: no \r, \n, or \x00 in output
		for _, bad := range []byte{'\r', '\n', '\x00'} {
			for _, c := range []byte(got) {
				if c == bad {
					t.Errorf("sanitizeHeader(%q) still contains unsafe byte 0x%02x in output %q", tc.input, bad, got)
				}
			}
		}
	}
}

func TestSanitizeHeader_InjectionPrevented(t *testing.T) {
	// A classic header injection attempt
	payload := "legit\r\nX-Admin: true"
	got := sanitizeHeader(payload)
	for _, c := range got {
		if c == '\r' || c == '\n' {
			t.Errorf("injection payload not sanitized: %q β†’ %q", payload, got)
		}
	}
}

func TestSanitizeHeader_CleanPassthrough(t *testing.T) {
	cases := []string{
		"application/json",
		"Bearer eyJhbGciOiJIUzI1NiJ9.payload.sig",
		"en-US,en;q=0.9",
		"gzip, deflate, br",
	}
	for _, v := range cases {
		got := sanitizeHeader(v)
		if got != v {
			t.Errorf("clean header value should pass through unchanged: %q β†’ %q", v, got)
		}
	}
}

// ─── isWebSocketRequest ───────────────────────────────────────────────────────

func TestIsWebSocketRequest_True(t *testing.T) {
	cases := []string{"websocket", "WebSocket", "WEBSOCKET", "Websocket"}
	for _, v := range cases {
		r, _ := http.NewRequest("GET", "/ws", nil)
		r.Header.Set("Upgrade", v)
		if !isWebSocketRequest(r) {
			t.Errorf("Upgrade: %q should be detected as WebSocket request", v)
		}
	}
}

func TestIsWebSocketRequest_False(t *testing.T) {
	cases := []struct{ key, val string }{
		{"Upgrade", ""},
		{"Upgrade", "h2c"},
		{"Connection", "upgrade"}, // Upgrade header missing
		{"", ""},
	}
	for _, tc := range cases {
		r, _ := http.NewRequest("GET", "/api", nil)
		if tc.key != "" {
			r.Header.Set(tc.key, tc.val)
		}
		if isWebSocketRequest(r) {
			t.Errorf("request with %q:%q should NOT be a WebSocket request", tc.key, tc.val)
		}
	}
}
Sprachen
Go 46%
JavaScript 45%
Markdown 3.3%
HTML 2.5%
YAML 1.7%
JSON 1.1%
Klonen
HTTPS