test/unit/test_http_parser.rb

   1 # Copyright (c) 2005 Zed A. Shaw
   2 # You can redistribute it and/or modify it under the same terms as Ruby.
   3 #
   4 # Additional work donated by contributors.  See http://mongrel.rubyforge.org/attributions.html
   5 # for more information.
   6
   7 require 'test/test_helper'
   8
   9 include Unicorn
  10
  11 class HttpParserTest < Test::Unit::TestCase
  12
  13   def test_parse_simple
  14     parser = HttpParser.new
  15     req = {}
  16     http = "GET / HTTP/1.1\r\n\r\n"
  17     assert_equal req, parser.headers(req, http)
  18     assert_equal '', http
  19
  20     assert_equal 'HTTP/1.1', req['SERVER_PROTOCOL']
  21     assert_equal '/', req['REQUEST_PATH']
  22     assert_equal 'HTTP/1.1', req['HTTP_VERSION']
  23     assert_equal '/', req['REQUEST_URI']
  24     assert_equal 'GET', req['REQUEST_METHOD']
  25     assert_nil req['FRAGMENT']
  26     assert_equal '', req['QUERY_STRING']
  27
  28     assert parser.keepalive?
  29     parser.reset
  30     req.clear
  31
  32     http = "G"
  33     assert_nil parser.headers(req, http)
  34     assert_equal "G", http
  35     assert req.empty?
  36
  37     # try parsing again to ensure we were reset correctly
  38     http = "GET /hello-world HTTP/1.1\r\n\r\n"
  39     assert parser.headers(req, http)
  40
  41     assert_equal 'HTTP/1.1', req['SERVER_PROTOCOL']
  42     assert_equal '/hello-world', req['REQUEST_PATH']
  43     assert_equal 'HTTP/1.1', req['HTTP_VERSION']
  44     assert_equal '/hello-world', req['REQUEST_URI']
  45     assert_equal 'GET', req['REQUEST_METHOD']
  46     assert_nil req['FRAGMENT']
  47     assert_equal '', req['QUERY_STRING']
  48     assert_equal '', http
  49     assert parser.keepalive?
  50   end
  51
  52   def test_connection_close_no_ka
  53     parser = HttpParser.new
  54     req = {}
  55     tmp = "GET / HTTP/1.1\r\nConnection: close\r\n\r\n"
  56     assert_equal req.object_id, parser.headers(req, tmp).object_id
  57     assert_equal "GET", req['REQUEST_METHOD']
  58     assert ! parser.keepalive?
  59   end
  60
  61   def test_connection_keep_alive_ka
  62     parser = HttpParser.new
  63     req = {}
  64     tmp = "HEAD / HTTP/1.1\r\nConnection: keep-alive\r\n\r\n"
  65     assert_equal req.object_id, parser.headers(req, tmp).object_id
  66     assert parser.keepalive?
  67   end
  68
  69   def test_connection_keep_alive_ka_bad_method
  70     parser = HttpParser.new
  71     req = {}
  72     tmp = "POST / HTTP/1.1\r\nConnection: keep-alive\r\n\r\n"
  73     assert_equal req.object_id, parser.headers(req, tmp).object_id
  74     assert ! parser.keepalive?
  75   end
  76
  77   def test_connection_keep_alive_ka_bad_version
  78     parser = HttpParser.new
  79     req = {}
  80     tmp = "GET / HTTP/1.0\r\nConnection: keep-alive\r\n\r\n"
  81     assert_equal req.object_id, parser.headers(req, tmp).object_id
  82     assert ! parser.keepalive?
  83   end
  84
  85   def test_parse_server_host_default_port
  86     parser = HttpParser.new
  87     req = {}
  88     tmp = "GET / HTTP/1.1\r\nHost: foo\r\n\r\n"
  89     assert_equal req, parser.headers(req, tmp)
  90     assert_equal 'foo', req['SERVER_NAME']
  91     assert_equal '80', req['SERVER_PORT']
  92     assert_equal '', tmp
  93     assert parser.keepalive?
  94   end
  95
  96   def test_parse_server_host_alt_port
  97     parser = HttpParser.new
  98     req = {}
  99     tmp = "GET / HTTP/1.1\r\nHost: foo:999\r\n\r\n"
 100     assert_equal req, parser.headers(req, tmp)
 101     assert_equal 'foo', req['SERVER_NAME']
 102     assert_equal '999', req['SERVER_PORT']
 103     assert_equal '', tmp
 104     assert parser.keepalive?
 105   end
 106
 107   def test_parse_server_host_empty_port
 108     parser = HttpParser.new
 109     req = {}
 110     tmp = "GET / HTTP/1.1\r\nHost: foo:\r\n\r\n"
 111     assert_equal req, parser.headers(req, tmp)
 112     assert_equal 'foo', req['SERVER_NAME']
 113     assert_equal '80', req['SERVER_PORT']
 114     assert_equal '', tmp
 115     assert parser.keepalive?
 116   end
 117
 118   def test_parse_server_host_xfp_https
 119     parser = HttpParser.new
 120     req = {}
 121     tmp = "GET / HTTP/1.1\r\nHost: foo:\r\n" \
 122           "X-Forwarded-Proto: https\r\n\r\n"
 123     assert_equal req, parser.headers(req, tmp)
 124     assert_equal 'foo', req['SERVER_NAME']
 125     assert_equal '443', req['SERVER_PORT']
 126     assert_equal '', tmp
 127     assert parser.keepalive?
 128   end
 129
 130   def test_parse_strange_headers
 131     parser = HttpParser.new
 132     req = {}
 133     should_be_good = "GET / HTTP/1.1\r\naaaaaaaaaaaaa:++++++++++\r\n\r\n"
 134     assert_equal req, parser.headers(req, should_be_good)
 135     assert_equal '', should_be_good
 136     assert parser.keepalive?
 137
 138     # ref: http://thread.gmane.org/gmane.comp.lang.ruby.mongrel.devel/37/focus=45
 139     # (note we got 'pen' mixed up with 'pound' in that thread,
 140     # but the gist of it is still relevant: these nasty headers are irrelevant
 141     #
 142     # nasty_pound_header = "GET / HTTP/1.1\r\nX-SSL-Bullshit:   -----BEGIN CERTIFICATE-----\r\n\tMIIFbTCCBFWgAwIBAgICH4cwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UEBhMCVUsx\r\n\tETAPBgNVBAoTCGVTY2llbmNlMRIwEAYDVQQLEwlBdXRob3JpdHkxCzAJBgNVBAMT\r\n\tAkNBMS0wKwYJKoZIhvcNAQkBFh5jYS1vcGVyYXRvckBncmlkLXN1cHBvcnQuYWMu\r\n\tdWswHhcNMDYwNzI3MTQxMzI4WhcNMDcwNzI3MTQxMzI4WjBbMQswCQYDVQQGEwJV\r\n\tSzERMA8GA1UEChMIZVNjaWVuY2UxEzARBgNVBAsTCk1hbmNoZXN0ZXIxCzAJBgNV\r\n\tBAcTmrsogriqMWLAk1DMRcwFQYDVQQDEw5taWNoYWVsIHBhcmQYJKoZIhvcNAQEB\r\n\tBQADggEPADCCAQoCggEBANPEQBgl1IaKdSS1TbhF3hEXSl72G9J+WC/1R64fAcEF\r\n\tW51rEyFYiIeZGx/BVzwXbeBoNUK41OK65sxGuflMo5gLflbwJtHBRIEKAfVVp3YR\r\n\tgW7cMA/s/XKgL1GEC7rQw8lIZT8RApukCGqOVHSi/F1SiFlPDxuDfmdiNzL31+sL\r\n\t0iwHDdNkGjy5pyBSB8Y79dsSJtCW/iaLB0/n8Sj7HgvvZJ7x0fr+RQjYOUUfrePP\r\n\tu2MSpFyf+9BbC/aXgaZuiCvSR+8Snv3xApQY+fULK/xY8h8Ua51iXoQ5jrgu2SqR\r\n\twgA7BUi3G8LFzMBl8FRCDYGUDy7M6QaHXx1ZWIPWNKsCAwEAAaOCAiQwggIgMAwG\r\n\tA1UdEwEB/wQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMA4GA1UdDwEB/wQEAwID6DAs\r\n\tBglghkgBhvhCAQ0EHxYdVUsgZS1TY2llbmNlIFVzZXIgQ2VydGlmaWNhdGUwHQYD\r\n\tVR0OBBYEFDTt/sf9PeMaZDHkUIldrDYMNTBZMIGaBgNVHSMEgZIwgY+AFAI4qxGj\r\n\tloCLDdMVKwiljjDastqooXSkcjBwMQswCQYDVQQGEwJVSzERMA8GA1UEChMIZVNj\r\n\taWVuY2UxEjAQBgNVBAsTCUF1dGhvcml0eTELMAkGA1UEAxMCQ0ExLTArBgkqhkiG\r\n\t9w0BCQEWHmNhLW9wZXJhdG9yQGdyaWQtc3VwcG9ydC5hYy51a4IBADApBgNVHRIE\r\n\tIjAggR5jYS1vcGVyYXRvckBncmlkLXN1cHBvcnQuYWMudWswGQYDVR0gBBIwEDAO\r\n\tBgwrBgEEAdkvAQEBAQYwPQYJYIZIAYb4QgEEBDAWLmh0dHA6Ly9jYS5ncmlkLXN1\r\n\tcHBvcnQuYWMudmT4sopwqlBWsvcHViL2NybC9jYWNybC5jcmwwPQYJYIZIAYb4QgEDBDAWLmh0\r\n\tdHA6Ly9jYS5ncmlkLXN1cHBvcnQuYWMudWsvcHViL2NybC9jYWNybC5jcmwwPwYD\r\n\tVR0fBDgwNjA0oDKgMIYuaHR0cDovL2NhLmdyaWQt5hYy51ay9wdWIv\r\n\tY3JsL2NhY3JsLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAS/U4iiooBENGW/Hwmmd3\r\n\tXCy6Zrt08YjKCzGNjorT98g8uGsqYjSxv/hmi0qlnlHs+k/3Iobc3LjS5AMYr5L8\r\n\tUO7OSkgFFlLHQyC9JzPfmLCAugvzEbyv4Olnsr8hbxF1MbKZoQxUZtMVu29wjfXk\r\n\thTeApBv7eaKCWpSp7MCbvgzm74izKhu3vlDk9w6qVrxePfGgpKPqfHiOoGhFnbTK\r\n\twTC6o2xq5y0qZ03JonF7OJspEd3I5zKY3E+ov7/ZhW6DqT8UFvsAdjvQbXyhV8Eu\r\n\tYhixw1aKEPzNjNowuIseVogKOLXxWI5vAi5HgXdS0/ES5gDGsABo4fqovUKlgop3\r\n\tRA==\r\n\t-----END CERTIFICATE-----\r\n\r\n"
 143     # parser = HttpParser.new
 144     # req = {}
 145     # assert parser.execute(req, nasty_pound_header, 0)
 146   end
 147
 148   def test_parse_ie6_urls
 149     %w(/some/random/path"
 150        /some/random/path>
 151        /some/random/path<
 152        /we/love/you/ie6?q=<"">
 153        /url?<="&>="
 154        /mal"formed"?
 155     ).each do |path|
 156       parser = HttpParser.new
 157       req = {}
 158       sorta_safe = %(GET #{path} HTTP/1.1\r\n\r\n)
 159       assert_equal req, parser.headers(req, sorta_safe)
 160       assert_equal path, req['REQUEST_URI']
 161       assert_equal '', sorta_safe
 162       assert parser.keepalive?
 163     end
 164   end
 165
 166   def test_parse_error
 167     parser = HttpParser.new
 168     req = {}
 169     bad_http = "GET / SsUTF/1.1"
 170
 171     assert_raises(HttpParserError) { parser.headers(req, bad_http) }
 172
 173     # make sure we can recover
 174     parser.reset
 175     req.clear
 176     assert_equal req, parser.headers(req, "GET / HTTP/1.0\r\n\r\n")
 177     assert ! parser.keepalive?
 178   end
 179
 180   def test_piecemeal
 181     parser = HttpParser.new
 182     req = {}
 183     http = "GET"
 184     assert_nil parser.headers(req, http)
 185     assert_nil parser.headers(req, http)
 186     assert_nil parser.headers(req, http << " / HTTP/1.0")
 187     assert_equal '/', req['REQUEST_PATH']
 188     assert_equal '/', req['REQUEST_URI']
 189     assert_equal 'GET', req['REQUEST_METHOD']
 190     assert_nil parser.headers(req, http << "\r\n")
 191     assert_equal 'HTTP/1.0', req['HTTP_VERSION']
 192     assert_nil parser.headers(req, http << "\r")
 193     assert_equal req, parser.headers(req, http << "\n")
 194     assert_equal 'HTTP/1.1', req['SERVER_PROTOCOL']
 195     assert_nil req['FRAGMENT']
 196     assert_equal '', req['QUERY_STRING']
 197     assert_equal "", http
 198     assert ! parser.keepalive?
 199   end
 200
 201   # not common, but underscores do appear in practice
 202   def test_absolute_uri_underscores
 203     parser = HttpParser.new
 204     req = {}
 205     http = "GET http://under_score.example.com/foo?q=bar HTTP/1.0\r\n\r\n"
 206     assert_equal req, parser.headers(req, http)
 207     assert_equal 'http', req['rack.url_scheme']
 208     assert_equal '/foo?q=bar', req['REQUEST_URI']
 209     assert_equal '/foo', req['REQUEST_PATH']
 210     assert_equal 'q=bar', req['QUERY_STRING']
 211
 212     assert_equal 'under_score.example.com', req['HTTP_HOST']
 213     assert_equal 'under_score.example.com', req['SERVER_NAME']
 214     assert_equal '80', req['SERVER_PORT']
 215     assert_equal "", http
 216     assert ! parser.keepalive?
 217   end
 218
 219   def test_absolute_uri
 220     parser = HttpParser.new
 221     req = {}
 222     http = "GET http://example.com/foo?q=bar HTTP/1.0\r\n\r\n"
 223     assert_equal req, parser.headers(req, http)
 224     assert_equal 'http', req['rack.url_scheme']
 225     assert_equal '/foo?q=bar', req['REQUEST_URI']
 226     assert_equal '/foo', req['REQUEST_PATH']
 227     assert_equal 'q=bar', req['QUERY_STRING']
 228
 229     assert_equal 'example.com', req['HTTP_HOST']
 230     assert_equal 'example.com', req['SERVER_NAME']
 231     assert_equal '80', req['SERVER_PORT']
 232     assert_equal "", http
 233     assert ! parser.keepalive?
 234   end
 235
 236   # X-Forwarded-Proto is not in rfc2616, absolute URIs are, however...
 237   def test_absolute_uri_https
 238     parser = HttpParser.new
 239     req = {}
 240     http = "GET https://example.com/foo?q=bar HTTP/1.1\r\n" \
 241            "X-Forwarded-Proto: http\r\n\r\n"
 242     assert_equal req, parser.headers(req, http)
 243     assert_equal 'https', req['rack.url_scheme']
 244     assert_equal '/foo?q=bar', req['REQUEST_URI']
 245     assert_equal '/foo', req['REQUEST_PATH']
 246     assert_equal 'q=bar', req['QUERY_STRING']
 247
 248     assert_equal 'example.com', req['HTTP_HOST']
 249     assert_equal 'example.com', req['SERVER_NAME']
 250     assert_equal '443', req['SERVER_PORT']
 251     assert_equal "", http
 252     assert parser.keepalive?
 253   end
 254
 255   # Host: header should be ignored for absolute URIs
 256   def test_absolute_uri_with_port
 257     parser = HttpParser.new
 258     req = {}
 259     http = "GET http://example.com:8080/foo?q=bar HTTP/1.2\r\n" \
 260            "Host: bad.example.com\r\n\r\n"
 261     assert_equal req, parser.headers(req, http)
 262     assert_equal 'http', req['rack.url_scheme']
 263     assert_equal '/foo?q=bar', req['REQUEST_URI']
 264     assert_equal '/foo', req['REQUEST_PATH']
 265     assert_equal 'q=bar', req['QUERY_STRING']
 266
 267     assert_equal 'example.com:8080', req['HTTP_HOST']
 268     assert_equal 'example.com', req['SERVER_NAME']
 269     assert_equal '8080', req['SERVER_PORT']
 270     assert_equal "", http
 271     assert ! parser.keepalive? # TODO: read HTTP/1.2 when it's final
 272   end
 273
 274   def test_absolute_uri_with_empty_port
 275     parser = HttpParser.new
 276     req = {}
 277     http = "GET https://example.com:/foo?q=bar HTTP/1.1\r\n" \
 278            "Host: bad.example.com\r\n\r\n"
 279     assert_equal req, parser.headers(req, http)
 280     assert_equal 'https', req['rack.url_scheme']
 281     assert_equal '/foo?q=bar', req['REQUEST_URI']
 282     assert_equal '/foo', req['REQUEST_PATH']
 283     assert_equal 'q=bar', req['QUERY_STRING']
 284
 285     assert_equal 'example.com:', req['HTTP_HOST']
 286     assert_equal 'example.com', req['SERVER_NAME']
 287     assert_equal '443', req['SERVER_PORT']
 288     assert_equal "", http
 289     assert parser.keepalive? # TODO: read HTTP/1.2 when it's final
 290   end
 291
 292   def test_put_body_oneshot
 293     parser = HttpParser.new
 294     req = {}
 295     http = "PUT / HTTP/1.0\r\nContent-Length: 5\r\n\r\nabcde"
 296     assert_equal req, parser.headers(req, http)
 297     assert_equal '/', req['REQUEST_PATH']
 298     assert_equal '/', req['REQUEST_URI']
 299     assert_equal 'PUT', req['REQUEST_METHOD']
 300     assert_equal 'HTTP/1.0', req['HTTP_VERSION']
 301     assert_equal 'HTTP/1.1', req['SERVER_PROTOCOL']
 302     assert_equal "abcde", http
 303     assert ! parser.keepalive? # TODO: read HTTP/1.2 when it's final
 304   end
 305
 306   def test_put_body_later
 307     parser = HttpParser.new
 308     req = {}
 309     http = "PUT /l HTTP/1.0\r\nContent-Length: 5\r\n\r\n"
 310     assert_equal req, parser.headers(req, http)
 311     assert_equal '/l', req['REQUEST_PATH']
 312     assert_equal '/l', req['REQUEST_URI']
 313     assert_equal 'PUT', req['REQUEST_METHOD']
 314     assert_equal 'HTTP/1.0', req['HTTP_VERSION']
 315     assert_equal 'HTTP/1.1', req['SERVER_PROTOCOL']
 316     assert_equal "", http
 317     assert ! parser.keepalive? # TODO: read HTTP/1.2 when it's final
 318   end
 319
 320   def test_unknown_methods
 321     %w(GETT HEADR XGET XHEAD).each { |m|
 322       parser = HttpParser.new
 323       req = {}
 324       s = "#{m} /forums/1/topics/2375?page=1#posts-17408 HTTP/1.1\r\n\r\n"
 325       ok = false
 326       assert_nothing_raised do
 327         ok = parser.headers(req, s)
 328       end
 329       assert ok
 330       assert_equal '/forums/1/topics/2375?page=1', req['REQUEST_URI']
 331       assert_equal 'posts-17408', req['FRAGMENT']
 332       assert_equal 'page=1', req['QUERY_STRING']
 333       assert_equal "", s
 334       assert_equal m, req['REQUEST_METHOD']
 335       assert ! parser.keepalive? # TODO: read HTTP/1.2 when it's final
 336     }
 337   end
 338
 339   def test_fragment_in_uri
 340     parser = HttpParser.new
 341     req = {}
 342     get = "GET /forums/1/topics/2375?page=1#posts-17408 HTTP/1.1\r\n\r\n"
 343     ok = false
 344     assert_nothing_raised do
 345       ok = parser.headers(req, get)
 346     end
 347     assert ok
 348     assert_equal '/forums/1/topics/2375?page=1', req['REQUEST_URI']
 349     assert_equal 'posts-17408', req['FRAGMENT']
 350     assert_equal 'page=1', req['QUERY_STRING']
 351     assert_equal '', get
 352     assert parser.keepalive?
 353   end
 354
 355   # lame random garbage maker
 356   def rand_data(min, max, readable=true)
 357     count = min + ((rand(max)+1) *10).to_i
 358     res = count.to_s + "/"
 359
 360     if readable
 361       res << Digest::SHA1.hexdigest(rand(count * 100).to_s) * (count / 40)
 362     else
 363       res << Digest::SHA1.digest(rand(count * 100).to_s) * (count / 20)
 364     end
 365
 366     return res
 367   end
 368
 369
 370   def test_horrible_queries
 371     parser = HttpParser.new
 372
 373     # then that large header names are caught
 374     10.times do |c|
 375       get = "GET /#{rand_data(10,120)} HTTP/1.1\r\nX-#{rand_data(1024, 1024+(c*1024))}: Test\r\n\r\n"
 376       assert_raises Unicorn::HttpParserError do
 377         parser.headers({}, get)
 378         parser.reset
 379       end
 380     end
 381
 382     # then that large mangled field values are caught
 383     10.times do |c|
 384       get = "GET /#{rand_data(10,120)} HTTP/1.1\r\nX-Test: #{rand_data(1024, 1024+(c*1024), false)}\r\n\r\n"
 385       assert_raises Unicorn::HttpParserError do
 386         parser.headers({}, get)
 387         parser.reset
 388       end
 389     end
 390
 391     # then large headers are rejected too
 392     get = "GET /#{rand_data(10,120)} HTTP/1.1\r\n"
 393     get << "X-Test: test\r\n" * (80 * 1024)
 394     assert_raises Unicorn::HttpParserError do
 395       parser.headers({}, get)
 396       parser.reset
 397     end
 398
 399     # finally just that random garbage gets blocked all the time
 400     10.times do |c|
 401       get = "GET #{rand_data(1024, 1024+(c*1024), false)} #{rand_data(1024, 1024+(c*1024), false)}\r\n\r\n"
 402       assert_raises Unicorn::HttpParserError do
 403         parser.headers({}, get)
 404         parser.reset
 405       end
 406     end
 407
 408   end
 409 end
 410