Skip to content

Commit

Permalink
test(AtomicLevel): demonstrate Handler is not vulnerable to XSS (uber…
Browse files Browse the repository at this point in the history
…-go#1477)

Adds a unit test and a fuzz test to demonstrate
that the AtomicLevel handler is not vulnerable to XSS.

I ran the fuzz test on my computer for 10 minutes on my laptop
with no cases where `<...>` was present in the response body.

```
...
fuzz: elapsed: 9m57s, execs: 43145040 (95839/sec), new interesting: 442 (total: 445)
fuzz: elapsed: 10m0s, execs: 43396113 (83690/sec), new interesting: 442 (total: 445)
```

Refs uber-go#1476
  • Loading branch information
abhinav authored Dec 10, 2024
1 parent 9669253 commit 5f00c34
Showing 1 changed file with 42 additions and 0 deletions.
42 changes: 42 additions & 0 deletions http_handler_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ package zap_test
import (
"encoding/json"
"errors"
"io"
"net/http"
"net/http/httptest"
"strings"
Expand Down Expand Up @@ -215,3 +216,44 @@ type brokenHTTPResponseWriter struct {
func (w *brokenHTTPResponseWriter) Write([]byte) (int, error) {
return 0, errors.New("great sadness")
}

func TestAtomicLevelServeHTTPBadLevel(t *testing.T) {
srv := httptest.NewServer(zap.NewAtomicLevel())
defer srv.Close()

req, err := http.NewRequest(http.MethodPut, srv.URL, strings.NewReader(`{"level":"<script>alert(\"malicious\")</script>"}`))
require.NoError(t, err, "Error constructing request.")

res, err := http.DefaultClient.Do(req)
require.NoError(t, err, "Error making request.")
defer func() {
assert.NoError(t, res.Body.Close(), "Error closing response body.")
}()

assert.Equal(t, http.StatusBadRequest, res.StatusCode, "Unexpected status code.")
resBody, err := io.ReadAll(res.Body)
require.NoError(t, err, "Error reading response body.")

assert.Contains(t, string(resBody), "unrecognized level", "Unexpected error message.")
assert.NotContains(t, string(resBody), "<script>", "Unexpected error message.")
}

func FuzzAtomicLevelServeHTTP(f *testing.F) {
f.Add(`{"level":"info"}`)
f.Add(`{"level":"warn"}`)
f.Add(`{"level":"<script>alert(\"malicious\")</script>"}`)
f.Fuzz(func(t *testing.T, input string) {
lvl := zap.NewAtomicLevel()

resw := httptest.NewRecorder()
req, err := http.NewRequest(http.MethodPut, "http://localhost:9999/log/level", strings.NewReader(input))
require.NoError(t, err, "Error constructing request.")

lvl.ServeHTTP(resw, req)

require.NotEqual(t, http.StatusInternalServerError, resw.Code, "Unexpected status code.")

// Response body must never contain HTML tags.
assert.NotRegexp(t, `<[^>]+>`, resw.Body.String(), "Unexpected HTML tag in response body.")
})
}

0 comments on commit 5f00c34

Please sign in to comment.