TEMP

Author: st0o0

src/TurboHTTP.Tests/Http11/Http11ClientEncoderSpec.cs

@@ -35,7 +35,7 @@ public void Encode_should_add_host_header()
     }
 
     [Fact(Timeout = 5000)]
-    public void Encode_should_handle_post_with_body()
+    public void Encode_should_write_headers_with_content_length()
     {
         var request = new HttpRequestMessage(HttpMethod.Post, "http://example.com/")
         {
@@ -49,7 +49,6 @@ public void Encode_should_handle_post_with_body()
         var result = Encoding.ASCII.GetString(buffer, 0, written);
         Assert.Contains("POST / HTTP/1.1", result);
         Assert.Contains("Content-Length: 9", result);
-        Assert.DoesNotContain("test body", result);
     }
 
     [Fact(Timeout = 5000)]

src/TurboHTTP.Tests/Protocol/LineBased/BodyEncoderFactorySpec.cs

@@ -22,24 +22,15 @@ public override void Flush() { }
     [Fact(Timeout = 5000)]
     public void Create_should_return_null_for_null_content()
     {
-        var encoder = BodyEncoderFactory.Create(null, HttpVersion.Version11, 65_536);
+        var encoder = BodyEncoderFactory.Create(null, HttpVersion.Version11);
         Assert.Null(encoder);
     }
 
     [Fact(Timeout = 5000)]
-    public void Create_should_return_buffered_for_http11_small_body()
+    public void Create_should_return_streamed_for_http11_known_length()
     {
         var content = new ByteArrayContent(new byte[100]);
-        var encoder = BodyEncoderFactory.Create(content, HttpVersion.Version11, 65_536);
-        Assert.IsType<ContentLengthBufferedBodyEncoder>(encoder);
-        encoder.Dispose();
-    }
-
-    [Fact(Timeout = 5000)]
-    public void Create_should_return_streamed_for_http11_large_body()
-    {
-        var content = new ByteArrayContent(new byte[200_000]);
-        var encoder = BodyEncoderFactory.Create(content, HttpVersion.Version11, 65_536);
+        var encoder = BodyEncoderFactory.Create(content, HttpVersion.Version11);
         Assert.IsType<ContentLengthStreamedBodyEncoder>(encoder);
         encoder.Dispose();
     }
@@ -51,7 +42,7 @@ public void Create_should_return_chunked_and_set_header_for_http11_unknown_lengt
         var content = new StreamContent(new NonSeekableStream());
         request.Content = content;
 
-        var encoder = BodyEncoderFactory.Create(content, HttpVersion.Version11, 65_536, request.Headers);
+        var encoder = BodyEncoderFactory.Create(content, HttpVersion.Version11, request.Headers);
 
         Assert.IsType<ChunkedBodyEncoder>(encoder);
         Assert.True(request.Headers.TransferEncodingChunked);
@@ -62,7 +53,7 @@ public void Create_should_return_chunked_and_set_header_for_http11_unknown_lengt
     public void Create_should_return_buffered_for_http10_known_length()
     {
         var content = new ByteArrayContent(new byte[200_000]);
-        var encoder = BodyEncoderFactory.Create(content, HttpVersion.Version10, 65_536);
+        var encoder = BodyEncoderFactory.Create(content, HttpVersion.Version10);
         Assert.IsType<ContentLengthBufferedBodyEncoder>(encoder);
         encoder.Dispose();
     }
@@ -71,7 +62,7 @@ public void Create_should_return_buffered_for_http10_known_length()
     public void Create_should_return_buffered_for_http10_unknown_length()
     {
         var content = new StreamContent(new MemoryStream(new byte[100]));
-        var encoder = BodyEncoderFactory.Create(content, HttpVersion.Version10, 65_536);
+        var encoder = BodyEncoderFactory.Create(content, HttpVersion.Version10);
         Assert.IsType<ContentLengthBufferedBodyEncoder>(encoder);
         encoder.Dispose();
     }

src/TurboHTTP.Tests/Protocol/Syntax/Http10/HeaderRouterSpec.cs

@@ -22,7 +22,7 @@ public void Apply_should_route_content_headers_to_content()
     }
 
     [Fact(Timeout = 5000)]
-    public void Apply_should_strip_HopByHop_headers()
+    public void Apply_should_include_hop_by_hop_headers()
     {
         var parsed = new HeaderCollection();
         parsed.Add("Connection", "close");
@@ -32,8 +32,8 @@ public void Apply_should_strip_HopByHop_headers()
         var msg = new HttpResponseMessage { Content = new ByteArrayContent([]) };
         HeaderRouter.ApplyToResponse(msg, parsed);
 
-        Assert.False(msg.Headers.Contains("Connection"));
-        Assert.False(msg.Headers.Contains("Keep-Alive"));
+        Assert.True(msg.Headers.Contains("Connection"));
+        Assert.True(msg.Headers.Contains("Keep-Alive"));
         Assert.True(msg.Headers.Contains("X-Custom"));
     }
 

src/TurboHTTP.Tests/Security/Http11FuzzBodySpec.cs

@@ -1,45 +1,52 @@
 using System.Text;
-using Decoder = TurboHTTP.Protocol.Http11.Decoder;
+using TurboHTTP.Protocol.Syntax;
+using TurboHTTP.Protocol.Syntax.Http11.Client;
+using TurboHTTP.Protocol.Syntax.Http11.Options;
 
 namespace TurboHTTP.Tests.Security;
 
 public sealed class Http11FuzzBodySpec
 {
     private const int IterationsPerSeed = 100;
     private const long MaxBytesPerIteration = 1_048_576;
+    private static readonly Http11ClientDecoderOptions DecoderOptions = Http11ClientDecoderOptions.Default;
 
-    private static void AssertDecodeNeverCrashes(Decoder decoder, ReadOnlyMemory<byte> data)
+    private static void AssertDecodeNeverCrashes(Http11ClientDecoder decoder, ReadOnlyMemory<byte> data)
     {
         try
         {
-            decoder.TryDecodeHeaders(data, out var response, out _, out _);
-            response?.Dispose();
+            var outcome = decoder.Feed(data.Span, requestMethodWasHead: false, out _);
+            if (outcome == DecodeOutcome.Complete)
+            {
+                var response = decoder.GetResponse();
+                response.Dispose();
+                decoder.Reset();
+            }
         }
         catch (HttpProtocolException)
         {
-            // Expected — malformed input correctly classified by our decoder.
         }
         catch (FormatException)
         {
-            // Expected — .NET's HttpResponseMessage rejects invalid reason phrases
-            // (newlines, NUL) that random bytes produce. Not a decoder bug.
         }
     }
 
-    private static void AssertDecodeEofNeverCrashes(Decoder decoder)
+    private static void AssertDecodeEofNeverCrashes(Http11ClientDecoder decoder)
     {
         try
         {
-            decoder.TryDecodeEof(out var response);
-            response?.Dispose();
+            if (decoder.SignalEof() || decoder.IsBodyComplete)
+            {
+                var response = decoder.GetResponse();
+                response?.Dispose();
+                decoder.Reset();
+            }
         }
         catch (HttpProtocolException)
         {
-            // Expected — malformed input correctly classified by our decoder.
         }
         catch (FormatException)
         {
-            // Expected — .NET's HttpResponseMessage rejects invalid reason phrases.
         }
     }
 
@@ -102,7 +109,7 @@ public void Http11Decoder_should_handle_mixed_transfer_encoding_and_content_leng
             using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(5));
             var allocBefore = GC.GetAllocatedBytesForCurrentThread();
 
-            using var decoder = new Decoder();
+            var decoder = new Http11ClientDecoder(DecoderOptions);
 
             var sb = new StringBuilder();
             sb.Append("HTTP/1.1 200 OK\r\n");
@@ -151,7 +158,7 @@ public void Http11Decoder_should_handle_extremely_large_content_length_without_o
             using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(5));
             var allocBefore = GC.GetAllocatedBytesForCurrentThread();
 
-            using var decoder = new Decoder();
+            var decoder = new Http11ClientDecoder(DecoderOptions);
 
             var claimedLengths = new[]
             {
@@ -207,7 +214,7 @@ public void Http11Decoder_should_handle_connection_close_with_trailing_data(int
             using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(5));
             var allocBefore = GC.GetAllocatedBytesForCurrentThread();
 
-            using var decoder = new Decoder();
+            var decoder = new Http11ClientDecoder(DecoderOptions);
 
             var body = "Hello, World!";
             var validResponse = BuildValidResponse(200, "OK", body,
@@ -250,7 +257,7 @@ public void Http11Decoder_should_maintain_consistent_state_with_fragmented_deliv
             using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(5));
             var allocBefore = GC.GetAllocatedBytesForCurrentThread();
 
-            using var decoder = new Decoder();
+            var decoder = new Http11ClientDecoder(DecoderOptions);
 
             byte[] fullResponse;
             if (rng.Next(2) == 0)

src/TurboHTTP.Tests/Security/UriRedirectSpec.cs

@@ -1,18 +1,21 @@
 using System.Net;
 using System.Text;
+using Akka.Actor;
 using TurboHTTP.Protocol.Semantics;
-using Encoder = TurboHTTP.Protocol.Http11.Encoder;
+using TurboHTTP.Protocol.Syntax.Http11.Client;
+using TurboHTTP.Protocol.Syntax.Http11.Options;
 
 namespace TurboHTTP.Tests.Security;
 
 public sealed class UriRedirectSpec
 {
-    private static string EncodeHttp11(HttpRequestMessage request, bool absoluteForm = false, int bufferSize = 16384)
+    private static readonly Http11ClientEncoder Encoder = new(Http11ClientEncoderOptions.Default);
+
+    private static string EncodeHttp11(HttpRequestMessage request, int bufferSize = 16384)
     {
-        var buffer = new Memory<byte>(new byte[bufferSize]);
-        var span = buffer.Span;
-        var written = Encoder.Encode(request, ref span, absoluteForm);
-        return Encoding.ASCII.GetString(buffer.Span[..written]);
+        var buffer = new byte[bufferSize];
+        var written = Encoder.Encode(buffer, request, ActorRefs.Nobody);
+        return Encoding.ASCII.GetString(buffer, 0, written);
     }
 
     private static HttpResponseMessage RedirectResponse(HttpStatusCode status, string location)
@@ -25,35 +28,25 @@ private static HttpResponseMessage RedirectResponse(HttpStatusCode status, strin
     [Fact(Timeout = 5000)]
     public void Uri_should_normalize_backslash_when_path_contains_backslash()
     {
-        // Attack: Backslash path traversal on Windows (e.g., ..\..\etc\passwd)
-        // .NET Uri normalizes backslashes to forward slashes on Windows
         const string uriString = "https://example.com/api\\..\\sensitive";
 
-        // On Windows, Uri may normalize backslashes — test the actual behavior
         if (OperatingSystem.IsWindows())
         {
             var uri = new Uri(uriString);
-            // Backslash should be converted to forward slash
             Assert.DoesNotContain("\\", uri.AbsolutePath);
         }
     }
 
     [Fact(Timeout = 5000)]
     public void Http11Encoder_should_encode_extremely_long_uri_when_uri_exceeds_standard_size()
     {
-        // Attack: Resource exhaustion via extremely long URIs
-        var longPath = string.Concat(Enumerable.Repeat("segment/", 400)); // ~3200 chars
+        var longPath = string.Concat(Enumerable.Repeat("segment/", 400));
         var longUri = $"https://example.com/{longPath}query=value";
 
         var request = new HttpRequestMessage(HttpMethod.Get, longUri);
 
-        // Use a larger buffer to accommodate the long URI
-        const int bufferSize = 32768; // 32 KB
-        var buffer = new Memory<byte>(new byte[bufferSize]);
-        var span = buffer.Span;
-
-        // Should encode without throwing
-        var written = Encoder.Encode(request, ref span);
+        const int bufferSize = 32768;
+        var written = Encoder.Encode(new byte[bufferSize], request, ActorRefs.Nobody);
 
         Assert.True(written > 0);
         Assert.True(written < bufferSize);
@@ -62,17 +55,13 @@ public void Http11Encoder_should_encode_extremely_long_uri_when_uri_exceeds_stan
     [Fact(Timeout = 5000)]
     public void Http11Encoder_should_encode_long_query_string_when_query_parameters_very_large()
     {
-        // Attack: Query string DoS via extremely long parameter values
         var longQueryValue = string.Concat(Enumerable.Repeat("x", 4096));
         var uri = $"https://example.com/endpoint?data={longQueryValue}";
 
         var request = new HttpRequestMessage(HttpMethod.Get, uri);
 
         const int bufferSize = 32768;
-        var buffer = new Memory<byte>(new byte[bufferSize]);
-        var span = buffer.Span;
-
-        var written = Encoder.Encode(request, ref span);
+        var written = Encoder.Encode(new byte[bufferSize], request, ActorRefs.Nobody);
 
         Assert.True(written > 0);
         Assert.True(written < bufferSize);
@@ -81,19 +70,15 @@ public void Http11Encoder_should_encode_long_query_string_when_query_parameters_
     [Fact(Timeout = 5000)]
     public void RedirectHandler_should_strip_userinfo_in_location_when_location_contains_credentials()
     {
-        // Attack: Location header with embedded credentials
-        // https://user:password@evil.com/phishing
         var original = new HttpRequestMessage(HttpMethod.Get, "https://trusted.com/page");
         var response = RedirectResponse(HttpStatusCode.Found, "https://admin:secret@attacker.com/");
 
         var handler = new RedirectHandler();
         var redirect = handler.BuildRedirectRequest(original, response);
 
-        // The redirect URI will contain userinfo in the Uri object, but encoders strip it
         Assert.NotNull(redirect.RequestUri);
 
-        // If we encode the redirect request, userinfo should not appear
-        var encoded = EncodeHttp11(redirect, absoluteForm: true);
+        var encoded = EncodeHttp11(redirect);
         Assert.DoesNotContain("admin", encoded);
         Assert.DoesNotContain("secret", encoded);
         Assert.DoesNotContain("@", encoded);