Release by arman-bd · Pull Request #1 · arman-bd/httpmorph

arman-bd · 2025-10-10T19:27:44Z

No description provided.

- Add _POSIX_C_SOURCE and _XOPEN_SOURCE macros for strdup declaration - Include strings.h for strcasecmp function - Fix http2_request signature to accept const request parameter - Fix C23 label-declaration warning by wrapping in block scope 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>

Build fixes: - Compile nghttp2 with -fPIC flag for shared library compatibility - Add POSIX feature macros to browser_profiles.c - Include strings.h for strcasecmp function - Fix ja3_hash to use MD5 hash instead of full JA3 string (33 chars max) Docker testing: - Add Dockerfile.test that mimics GitHub Actions ubuntu-latest - Add docker-compose.test.yml for easier Docker management - Add Makefile targets: docker-build, docker-test, docker-shell - Add .dockerignore to optimize build context This allows local testing in the exact CI environment before pushing, significantly reducing CI iteration time. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>

…ys support

- Enable benchmarks in CI by setting ENABLE_BENCHMARK="true" - Update _benchmark.yml to use split restore/save cache pattern matching _test.yml - Remove non-functional save-always parameter - Ensure caches are saved even on benchmark failure using if: always() This ensures benchmark workflow has the same robust caching as the test workflow. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>

Temporarily disable benchmarks in CI. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>

codecov-commenter · 2025-10-10T19:42:03Z

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

ℹ️ You can also turn on project coverage checks and project coverage reporting on Pull Request comment

Thanks for integrating Codecov - We've got you covered ☂️

Initial Release

This commit addresses multiple security issues discovered during edge case analysis and improves test infrastructure for better reliability. Security Fixes: - Fix HTTP/1.1 body reallocation bug causing data loss (#1) * Modified realloc_body_buffer() to use current_data_size parameter * Fixes issue where response->body_len was 0 during receive * Prevents data loss when buffer needs to grow during receive - Add integer overflow protection in 8 critical locations (#7, #8) * HTTP/2 data callback buffer doubling (http2_logic.c:140) * HTTP/1.1 body buffer reallocation (http1.c:417, 549, 606) * Gzip decompression buffer expansion (compression.c:55) * Response header array growth (response.c:123) * Request header array growth (request.c:112) * Async request array growth (async_request_manager.c:171) * All checks use SIZE_MAX/2 to prevent integer overflow - Fix memory leak in DNS cache deep copy (#13) * Added proper cleanup on allocation failures in addrinfo_deep_copy() * Prevents memory leaks when malloc/strdup fails mid-operation Async HTTP Proxy Improvements: - Fix async HTTP proxy to use absolute URI for proxy requests - Add Proxy-Authorization header support for authenticated HTTP proxies - Properly distinguish between HTTP (uses absolute URI) and HTTPS (uses path) Test Infrastructure: - Add comprehensive edge case security tests (25 test cases) * Integer overflow protection tests * Memory leak prevention tests * Thread safety tests * Boundary condition tests - Add buffer reallocation regression tests (11 test cases) * Large response handling * Gzip decompression * Chunked transfer encoding * Multiple buffer doubling scenarios - Update proxy tests to use httpmorph-bin.bytetunnels.com * Added fixtures for both HTTP and HTTPS testing * HTTPS uses verify=False for self-signed certificates * Improved test reliability by using dedicated test server Results: All 371 tests pass with 14 expected skips

* fix: critical security vulnerabilities and improve proxy test coverage This commit addresses multiple security issues discovered during edge case analysis and improves test infrastructure for better reliability. Security Fixes: - Fix HTTP/1.1 body reallocation bug causing data loss (#1) * Modified realloc_body_buffer() to use current_data_size parameter * Fixes issue where response->body_len was 0 during receive * Prevents data loss when buffer needs to grow during receive - Add integer overflow protection in 8 critical locations (#7, #8) * HTTP/2 data callback buffer doubling (http2_logic.c:140) * HTTP/1.1 body buffer reallocation (http1.c:417, 549, 606) * Gzip decompression buffer expansion (compression.c:55) * Response header array growth (response.c:123) * Request header array growth (request.c:112) * Async request array growth (async_request_manager.c:171) * All checks use SIZE_MAX/2 to prevent integer overflow - Fix memory leak in DNS cache deep copy (#13) * Added proper cleanup on allocation failures in addrinfo_deep_copy() * Prevents memory leaks when malloc/strdup fails mid-operation Async HTTP Proxy Improvements: - Fix async HTTP proxy to use absolute URI for proxy requests - Add Proxy-Authorization header support for authenticated HTTP proxies - Properly distinguish between HTTP (uses absolute URI) and HTTPS (uses path) Test Infrastructure: - Add comprehensive edge case security tests (25 test cases) * Integer overflow protection tests * Memory leak prevention tests * Thread safety tests * Boundary condition tests - Add buffer reallocation regression tests (11 test cases) * Large response handling * Gzip decompression * Chunked transfer encoding * Multiple buffer doubling scenarios - Update proxy tests to use httpmorph-bin.bytetunnels.com * Added fixtures for both HTTP and HTTPS testing * HTTPS uses verify=False for self-signed certificates * Improved test reliability by using dedicated test server Results: All 371 tests pass with 14 expected skips * chore: more test cases * [FIX] Make dotenv import optional in test files for CI compatibility Fix ModuleNotFoundError in CI environments where python-dotenv is not installed. Changes: - Wrap dotenv import in try/except block in test_buffer_reallocation.py - Wrap dotenv import in try/except block in test_edge_cases_security.py - Follow same pattern as conftest.py for optional dependency handling Impact: - Tests now work in CI without requiring python-dotenv installation - Local development still benefits from .env file loading when dotenv is available - Environment variables can be set directly in CI/CD pipelines Fixes CI failures across all workflows with: ModuleNotFoundError: No module named 'dotenv' * [FIX] Pass TEST_HTTPBIN_HOST secret to CI test workflows Add TEST_HTTPBIN_HOST environment variable to CI workflows to fix test failures. Changes: - Add TEST_HTTPBIN_HOST to workflow secrets in _test.yml - Pass TEST_HTTPBIN_HOST to test environment in _test.yml - Pass TEST_HTTPBIN_HOST from ci.yml to _test.yml workflow Impact: - Edge case security tests can now access httpmorph-bin test server in CI - Buffer reallocation tests can run in CI environment - Fixes collection errors: "TEST_HTTPBIN_HOST environment variable is not set" Related: - Works together with previous commit making dotenv import optional - TEST_HTTPBIN_HOST must be configured as repository secret in GitHub

This commit addresses multiple security issues discovered during edge case analysis and improves test infrastructure for better reliability. Security Fixes: - Fix HTTP/1.1 body reallocation bug causing data loss (#1) * Modified realloc_body_buffer() to use current_data_size parameter * Fixes issue where response->body_len was 0 during receive * Prevents data loss when buffer needs to grow during receive - Add integer overflow protection in 8 critical locations (#7, #8) * HTTP/2 data callback buffer doubling (http2_logic.c:140) * HTTP/1.1 body buffer reallocation (http1.c:417, 549, 606) * Gzip decompression buffer expansion (compression.c:55) * Response header array growth (response.c:123) * Request header array growth (request.c:112) * Async request array growth (async_request_manager.c:171) * All checks use SIZE_MAX/2 to prevent integer overflow - Fix memory leak in DNS cache deep copy (#13) * Added proper cleanup on allocation failures in addrinfo_deep_copy() * Prevents memory leaks when malloc/strdup fails mid-operation Async HTTP Proxy Improvements: - Fix async HTTP proxy to use absolute URI for proxy requests - Add Proxy-Authorization header support for authenticated HTTP proxies - Properly distinguish between HTTP (uses absolute URI) and HTTPS (uses path) Test Infrastructure: - Add comprehensive edge case security tests (25 test cases) * Integer overflow protection tests * Memory leak prevention tests * Thread safety tests * Boundary condition tests - Add buffer reallocation regression tests (11 test cases) * Large response handling * Gzip decompression * Chunked transfer encoding * Multiple buffer doubling scenarios - Update proxy tests to use httpmorph-bin.bytetunnels.com * Added fixtures for both HTTP and HTTPS testing * HTTPS uses verify=False for self-signed certificates * Improved test reliability by using dedicated test server Results: All 371 tests pass with 14 expected skips

* fix: critical security vulnerabilities and improve proxy test coverage This commit addresses multiple security issues discovered during edge case analysis and improves test infrastructure for better reliability. Security Fixes: - Fix HTTP/1.1 body reallocation bug causing data loss (#1) * Modified realloc_body_buffer() to use current_data_size parameter * Fixes issue where response->body_len was 0 during receive * Prevents data loss when buffer needs to grow during receive - Add integer overflow protection in 8 critical locations (#7, #8) * HTTP/2 data callback buffer doubling (http2_logic.c:140) * HTTP/1.1 body buffer reallocation (http1.c:417, 549, 606) * Gzip decompression buffer expansion (compression.c:55) * Response header array growth (response.c:123) * Request header array growth (request.c:112) * Async request array growth (async_request_manager.c:171) * All checks use SIZE_MAX/2 to prevent integer overflow - Fix memory leak in DNS cache deep copy (#13) * Added proper cleanup on allocation failures in addrinfo_deep_copy() * Prevents memory leaks when malloc/strdup fails mid-operation Async HTTP Proxy Improvements: - Fix async HTTP proxy to use absolute URI for proxy requests - Add Proxy-Authorization header support for authenticated HTTP proxies - Properly distinguish between HTTP (uses absolute URI) and HTTPS (uses path) Test Infrastructure: - Add comprehensive edge case security tests (25 test cases) * Integer overflow protection tests * Memory leak prevention tests * Thread safety tests * Boundary condition tests - Add buffer reallocation regression tests (11 test cases) * Large response handling * Gzip decompression * Chunked transfer encoding * Multiple buffer doubling scenarios - Update proxy tests to use httpmorph-bin.bytetunnels.com * Added fixtures for both HTTP and HTTPS testing * HTTPS uses verify=False for self-signed certificates * Improved test reliability by using dedicated test server Results: All 371 tests pass with 14 expected skips * chore: more test cases * [FIX] Make dotenv import optional in test files for CI compatibility Fix ModuleNotFoundError in CI environments where python-dotenv is not installed. Changes: - Wrap dotenv import in try/except block in test_buffer_reallocation.py - Wrap dotenv import in try/except block in test_edge_cases_security.py - Follow same pattern as conftest.py for optional dependency handling Impact: - Tests now work in CI without requiring python-dotenv installation - Local development still benefits from .env file loading when dotenv is available - Environment variables can be set directly in CI/CD pipelines Fixes CI failures across all workflows with: ModuleNotFoundError: No module named 'dotenv' * [FIX] Pass TEST_HTTPBIN_HOST secret to CI test workflows Add TEST_HTTPBIN_HOST environment variable to CI workflows to fix test failures. Changes: - Add TEST_HTTPBIN_HOST to workflow secrets in _test.yml - Pass TEST_HTTPBIN_HOST to test environment in _test.yml - Pass TEST_HTTPBIN_HOST from ci.yml to _test.yml workflow Impact: - Edge case security tests can now access httpmorph-bin test server in CI - Buffer reallocation tests can run in CI environment - Fixes collection errors: "TEST_HTTPBIN_HOST environment variable is not set" Related: - Works together with previous commit making dotenv import optional - TEST_HTTPBIN_HOST must be configured as repository secret in GitHub * Release v0.2.5 ## Security Fixes This release addresses 9 critical security vulnerabilities discovered during code analysis: ### 1. HTTP/1.1 Body Reallocation Bug - **Severity**: HIGH - Data loss during response handling - **Impact**: Response body data was being discarded when buffer needed to grow - **Fix**: Corrected realloc_body_buffer() to track actual data size - **File**: src/core/http1.c:31 ### 2. Integer Overflow Protection (8 locations) - **Severity**: CRITICAL - Heap overflow vulnerability - **Impact**: Buffer doubling operations could overflow on large responses - **Locations**: HTTP/2 data callback, HTTP/1.1 body buffer, gzip decompression, response/request headers, async requests - **Fix**: Added overflow checks using SIZE_MAX/2 before all buffer doubling ### 3. DNS Cache Memory Leak - **Severity**: MEDIUM - Memory leak on allocation failure - **Fix**: Proper cleanup on all error paths in addrinfo_deep_copy() - **File**: src/core/network.c:78-123 ## Improvements ### Async HTTP Proxy - Use absolute URI for HTTP requests through proxy - Add Proxy-Authorization header for authenticated proxies - Proper HTTP vs HTTPS proxy distinction - **File**: src/core/async_request.c:1012-1064 ### CI/CD - Enhanced test configuration with proper secret handling - Improved workflow environment variable passing ## Changed Files **Core Security Fixes**: - src/core/http1.c - Body reallocation + overflow checks - src/core/http2_logic.c - Integer overflow protection - src/core/compression.c - Decompression overflow check - src/core/response.c - Header array overflow check - src/core/request.c - Header array overflow check - src/core/async_request_manager.c - Request array overflow check - src/core/async_request.c - HTTP proxy improvements - src/core/network.c - DNS cache memory leak fix **Infrastructure**: - .github/workflows/_test.yml - Enhanced test configuration - .github/workflows/ci.yml - Improved workflow secrets - tests/* - Comprehensive security test coverage ## Impact - **Security**: All 9 vulnerabilities patched - **Performance**: No regression - O(1) overflow checks - **Compatibility**: No breaking changes ## Upgrade Recommendation ⚠️ **Immediate upgrade recommended** to prevent: - Data loss during large response handling - Heap overflow from malicious or large responses - Memory leaks during DNS operations

arman-bd and others added 30 commits October 8, 2025 23:01

bugfix: build fix for linux

d864f0d

chore: ci update

2a7dc43

chore: more fixes

bb34763

bugfix: workflow path

e1dc20b

chore: removed items

7f3b876

chore: cache things

41a2bca

chore: fixes

055fe5b

chore: fixed cache

c6927a9

fix: enable mac

4ff8db0

chore: fix for mac

615b876

chore: fix

d1e5b99

chore: windows

013fd46

chore: fix for windows

8e665aa

chore: use MSYS2 for windows

a4a6916

chore: vcpkg

1923746

chore: fix vcpkg

97c83e4

chore: more win fix

8613f3d

chore: fix win

27d34a8

chore: win posix fix

c31e1c9

chore: fix for else

f75b938

chore: win fix

63a86c4

chore: fix

111afda

fix: win

57c8ba9

chore: winfix

58f244e

wip

56bc61b

chore: win fix

c156360

wip

438e272

build cache

a5dbf51

arman-bd and others added 18 commits October 10, 2025 16:53

chore: win fix

6e9d9c7

fix: add filelock dependency for tests

71d3f77

fix: use relative vendor path and add cache verification

e99c0e4

fix: add save-always to cache steps to save even on job failure

31a9448

debug: add verification step for C extension build

ff565ea

fix: split cache into separate restore and save actions for save-alwa…

4335e7b

…ys support

fix: add BoringSSL and vcpkg DLL paths to PATH for Windows

62a245e

debug: add detailed error traceback for C extension import

b7c0d83

fix: correct YAML syntax for multi-line Python command

2c3c253

fix: simplify C extension import test to avoid YAML syntax issues

5427dd0

debug: check for DLL files and improve error output

357ba66

debug: add detailed import error traceback to _client_c.py

263df26

fix: add DLL directories using os.add_dll_directory on Windows

462827e

chore: disable benchmark workflow

628f41b

Temporarily disable benchmarks in CI. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>

cross-test

84fcf53

benchmark

45f7c69

updated release

da1904f

arman-bd self-assigned this Oct 10, 2025

more fixes

313e8c3

libnghttp2 for linux

86d2f2b

arman-bd merged commit 017c40a into main Oct 10, 2025
32 of 45 checks passed

arman-bd added a commit that referenced this pull request Oct 26, 2025

Release (#1)

7dded17

Initial Release

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Release#1

Release#1
arman-bd merged 50 commits intomainfrom
develop

arman-bd commented Oct 10, 2025

Uh oh!

codecov-commenter commented Oct 10, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

arman-bd commented Oct 10, 2025

Uh oh!

codecov-commenter commented Oct 10, 2025

Welcome to Codecov 🎉

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants