Skip to content

HTTP spec conformance during CI #3169

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Saturn225 wants to merge 65 commits into from
Closed

HTTP spec conformance during CI #3169

Saturn225 wants to merge 65 commits into from

Conversation

@Saturn225
Copy link

@Saturn225 Saturn225 commented Sep 26, 2024
edited
Loading

/claim #3083
fixes #3083

This PR integrates new HTTP conformance tests derived from the research paper "Who's Breaking the Rules? Studying Conformance to the HTTP Specifications and its Security Impact" by Jannis Rautenstrauch and Ben Stock. These tests now acts as a guardrails to ZIO -HTTP implementations adhere to the specifications and help identify potential security issues.

Conclusions

  1. The tests taken reference from http-conformance are categorised into 3 levels, Requirement, Recommendations and ABNF. The initial process is to add the conformance suite and I have added the Requirement and Recommendation level conformance tests which are critical to be tested to safeguard.

  2. I have ran http-conformance tool with simple zio-http server setup and observed analysis of tool with different categories Dangerous broken, Dangerous not broken, Not dangerous broken and Not Dangerous not broken. I have shifted towards first add tests for Dangerous ones and added them broken/not-broken then added not-dangerous ones.

Changes done:

Status Codes:

This specs verifies behaviour of the different Status Codes in Violations

  • 204 No Content which verifies no body is sent.
  • 205 Reset Content checks no body is sent.
  • 206 Partial Content checks the presence of Content-Range.
  • 206 Multipart Content checks Content-Range is excluded in multipart responses.
  • 206 Headers checks headers like ETag and Cache-Control are present.
  • 401 Unauthorized
    • checks the presence of WWW-Authenticate header.
    • checks 401 status when Authorization header is missing.
  • 405 Method Not Allowed checks the Allow header is present.
  • 407 Proxy Authentication Required verifies the Proxy-Authenticate header is present.
  • 304 Not Modified checks no body is returned for 304 Not Modified and verifies consistency with 200 OK and more....

Redirection (Location Header):

This tests added validates the presence of Location header in 300 Multiple Choices, 301 Moved Permanently, 302 Found, 303 See Other, 307 Temporary Redirect and 308 Permanent Redirect responses.

Headers and Metadata:

  • Range Header (206) checks Content-Range is present in 206 responses.
  • Content-Range (416) validates Content-Range in 416 Range Not Satisfiable.
  • Content-Length in CONNECT checks no Content-Length for 2XX CONNECT.
  • Transfer-Encoding in CONNECT checks no Transfer-Encoding for 2XX CONNECT.
  • CSP Header validates that only one Content-Security-Policy header is sent.

HTTP Methods:

  • HEAD Request (no body) verifies no body is sent in HEAD requests.
  • GET and HEAD Headers Consistency checks for matching headers in GET and HEAD.
  • POST Invalid Response Codes validates POST does not return 206, 304, or 416.
  • 501 Unknown HTTP Methods validates unknown methods return 501 Not Implemented.
  • 405 Blocked Methods validates non-allowed methods return 405 Method Not Allowed.

HTTP Versions:

  • Transfer-Encoding with HTTP/1.0 validates no Transfer-Encoding for HTTP/1.0.
  • Transfer-Encoding with HTTP/1.1 validates Transfer-Encoding for HTTP/1.1 or higher.
  • Whitespace in Start-Line validates rejection of requests with improper start-line formatting.
  • Bare CR in Headers checks compliance with CRLF formatting in headers.

Connection Management and Headers:

  • Close in Final Response validates Connection close is included when requested.
  • Bad Headers with CR, LF, or NUL validates headers with illegal characters are rejected.
  • Upgrade and Expect Headers validates 100 Continue before 101 Switching Protocols when both Upgrade and Expect headers are present.

Some of other added are 426 Upgrade Required and 101 Switching Protocols

Cache-Control Directives:

This spec added checks for unquoted values for max-age and s-maxage and quoted-string form for no-cache and private.

Content-Length and Transfer-Encoding:

This spec validates no Content-Length or Transfer-Encoding in 1xx and 204 responses and also to validate consistency of Content-Length between HEAD and GET as well as between 304 Not Modified and 200 OK.

Cookie Handling:

This spec guardrails no duplicate cookie attributes in Set-Cookie headers and no duplicate cookies with the same name and also the use of IMF-fixdate format for cookie expiration dates.

Miscellaneous:

Some of miscellaneous compliance tests added checks with headers such as Server, Content-Type, Accept-Patch and Date.

Possible Changes to Discuss:

Some tests related to Content-Security-Policy-Report-Only and Strict-Transport-Security (STS) are not yet supported in ZIO-HTTP, but I have raised tickets for their future inclusion #3171 and #3172 . Once these headers are supported, we can add more tests to validate their behavior. HTTP/2 is not yet supported in ZIO-HTTP. Once it is implemented, additional tests for HTTP/2 conformance will be necessary. I have mainly focused on to add the Requirement and Recommended tests which sets initial process to add conformance guardrail for zio-http. The ABNF checks could be added gradually into the suite

Other

I have fixed the all violating checks added as per the conformance suite added.
Thanks @JannisBush for the detailed paper and the excellent tool!

@CLAassistant
Copy link

CLAassistant commented Sep 26, 2024
edited
Loading

CLA assistant check
All committers have signed the CLA.

@algora-pbc algora-pbc bot mentioned this pull request Sep 26, 2024
Closed
@algora-pbc
Copy link

algora-pbc bot commented Sep 26, 2024

💵 To receive payouts, sign up on Algora, link your Github account and connect with Stripe.

@Saturn225 Saturn225 marked this pull request as draft September 26, 2024 07:13
@Saturn225 Saturn225 marked this pull request as ready for review September 26, 2024 08:20
@987Nabil
Copy link
Contributor

987Nabil commented Sep 26, 2024

@Saturn225 HTTP/2 is out of scope. The failing test should be fixed first. I set this PR to draft for now. Once you fixed the issues open again. If you are stuck, you can contact me on discord

@987Nabil 987Nabil marked this pull request as draft September 26, 2024 21:25
@Saturn225 Saturn225 force-pushed the feat/conformance-spec branch from 8925eba to 969afa9 Compare September 30, 2024 05:37
@Saturn225 Saturn225 marked this pull request as ready for review October 1, 2024 17:30
987Nabil
987Nabil reviewed Oct 1, 2024
View reviewed changes
@Saturn225
Copy link
Author

Saturn225 commented Oct 8, 2024

The failing test is that cors header is adding OPTIONS method automatically in that spec. I will need to take care of this case in toHandler. I'll fix it

@Saturn225
Copy link
Author

Saturn225 commented May 8, 2025

@kyri-petrou Can you review this, please? 🙏

kyri-petrou
kyri-petrou reviewed May 9, 2025
View reviewed changes
Saturn225 added 3 commits May 9, 2025 14:26
@Saturn225
Merge branch 'zio:main' into feat/conformance-spec
f5e97bb
@Saturn225
feat(server): add validateHeaders config flag to control built-in a…
f5f7eb2 
…nd custom header validation

- Adds `validateHeaders` (default: false) to Server.Config
- Wires it to Netty HttpRequestDecoder `.setValidateHeaders()`
- Guards custom `validateHostHeader()` logic behind the same flag
- Allows users to opt into full header validation
@Saturn225
make mima happier
6256e79
@netlify
Copy link

netlify bot commented May 25, 2025
edited
Loading

Deploy Preview for zio-http ready!

Name Link
🔨 Latest commit 2ba8dcd
🔍 Latest deploy log https://app.netlify.com/projects/zio-http/deploys/68fc8f1db2503f00084d69ce
😎 Deploy Preview https://deploy-preview-3169--zio-http.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@Saturn225 Saturn225 requested review from 987Nabil and kyri-petrou May 25, 2025 10:32
@Saturn225
Copy link
Author

Saturn225 commented May 26, 2025

@kyri-petrou @987Nabil could you please review/merge PR?

@Saturn225 Saturn225 mentioned this pull request Jun 7, 2025
Merged
987Nabil
987Nabil requested changes Jun 18, 2025
View reviewed changes
zio-http/shared/src/main/scala/zio/http/Server.scala
}
}

final case class ServerRuntimeConfig(
Copy link
Contributor

@987Nabil 987Nabil Jun 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can't have a new class ever time we add a config. And while this is bin compatible, it is not source compatible.
It might be more work, but please make the other config a class instead of a case class and write all necessary methods by hand

@zio zio deleted a comment from Excellencedev Oct 13, 2025
@987Nabil 987Nabil closed this Nov 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@987Nabil 987Nabil 987Nabil requested changes

@jdegoes jdegoes Awaiting requested review from jdegoes jdegoes is a code owner

@vigoo vigoo Awaiting requested review from vigoo vigoo is a code owner

@kyri-petrou kyri-petrou Awaiting requested review from kyri-petrou kyri-petrou is a code owner

Assignees

No one assigned

Labels

🙋 Bounty claim

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Test for HTTP spec conformance during CI

5 participants

@Saturn225 @CLAassistant @987Nabil @jdegoes @kyri-petrou