Skip to content

fix(httputil): prevent memory corruption in ResponseChain #711

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Mzack9999 merged 2 commits into from
Nov 30, 2025
Merged

fix(httputil): prevent memory corruption in ResponseChain #711

Mzack9999 merged 2 commits into from
Nov 30, 2025

Conversation

@dwisiswant0
Copy link
Member

@dwisiswant0 dwisiswant0 commented Nov 29, 2025

Changes

fix(httputil): prevent memory corruption in ResponseChain

string accessors.

Replaces unsafe zero-copy conversion.String()
with bytes.Buffer.String() in HeadersString()
and BodyString() methods.

The previous (>= v0.7.0) implementation used
conversion.String() on the buffer's byte slice,
which created a string that shared memory with the
pooled bytes.Buffer. When buffers were returned
to the pool (via Close()) and reused, the
strings held by consumers would be corrupted lmao.

Proof

patch:

$ go test -v -race -run "^TestResponseChain_StringSafety$" ./http/
=== RUN   TestResponseChain_StringSafety
--- PASS: TestResponseChain_StringSafety (0.00s)
PASS
ok  	github.com/projectdiscovery/utils/http	1.043s

main:

$ git cherry-pick b09f27a
$ go test -v -race -run "^TestResponseChain_StringSafety$" ./http/
=== RUN   TestResponseChain_StringSafety
    respChain_test.go:1228: 
        	Error Trace:	/home/dw1/Development/PD/utils/http/respChain_test.go:1228
        	Error:      	"ALERTA_GARBAGE_DATA_OVERWRITING_MEMORY_ALERTA_GARBAGE_DATA_OVERWRITING_MEMOR" does not contain "Original Header Value"
        	Test:       	TestResponseChain_StringSafety
        	Messages:   	HeadersString() content changed after buffer reuse - unsafe memory sharing detected
--- FAIL: TestResponseChain_StringSafety (0.00s)
FAIL
FAIL	github.com/projectdiscovery/utils/http	0.034s
FAIL

@dwisiswant0
test(httputil): add TestResponseChain_StringSafety
b09f27a 
Signed-off-by: Dwi Siswanto <[email protected]>
@dwisiswant0
fix(httputil): prevent memory corruption in ResponseChain
99ca5c1 
string accessors.

Replaces unsafe zero-copy `conversion.String()`
with `bytes.Buffer.String()` in `HeadersString()`
and `BodyString()` methods.

The previous (>= v0.7.0) implementation used
`conversion.String()` on the buffer's byte slice,
which created a string that shared memory with the
pooled `bytes.Buffer`. When buffers were returned
to the pool (via `Close()`) and reused, the
strings held by consumers would be corrupted lmao.

Signed-off-by: Dwi Siswanto <[email protected]>
@dwisiswant0 dwisiswant0 linked an issue Nov 29, 2025 that may be closed by this pull request
httputil: data corruption in ResponseChain string accessors #710
Closed
dwisiswant0
dwisiswant0 commented Nov 29, 2025
View reviewed changes
http/respChain.go
Comment on lines 317 to 321
// FullResponseString returns the current response as string in the chain.
//
// The returned string is a copy and remains valid even after Close() is called.
// This is a zero-copy operation from the byte slice.
func (r *ResponseChain) FullResponseString() string {
return conversion.String(r.FullResponseBytes())
Copy link
Member Author

@dwisiswant0 dwisiswant0 Nov 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FullResponseString() is already safe because FullResponseBytes() returns a new slice, so I will leave it as is to maintain the zero-copy optimization on that specific method (avoiding a second copy).

@dwisiswant0 dwisiswant0 self-assigned this Nov 29, 2025
@Mzack9999 Mzack9999 merged commit 6ddbc26 into main Nov 30, 2025
7 checks passed
@Mzack9999 Mzack9999 deleted the dwisiswant0/fix/httputil/prevent-memory-corruption-in-ResponseChain branch November 30, 2025 09:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mzack9999 Mzack9999 Mzack9999 approved these changes

Assignees

@dwisiswant0 dwisiswant0

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

httputil: data corruption in ResponseChain string accessors

3 participants

@dwisiswant0 @Mzack9999