test: add unit tests for header validation fixes

Add standalone test-runner with 7 tests covering both interceptor fixes:

CompressedResponseSizeInterceptor (AZ02):
- brokenInterceptor_failsWithArabicLocale: proves locale-dependent formatting crashes
- fixedInterceptor_succeedsWithArabicLocale: proves Locale.US fix works
- fixedInterceptor_succeedsWithUSLocale: regression test

BearerTokenInterceptor (AYPW):
- brokenInterceptor_failsWithControlCharInToken: proves corrupt tokens crash
- fixedInterceptor_succeedsWithControlCharInToken: proves sanitization works
- fixedInterceptor_skipsHeaderWhenTokenIsAllControlChars: edge case
- fixedInterceptor_passesCleanTokenUnmodified: regression test

Run with: cd test-runner && ./gradlew test

Co-authored-by: Claude <claude@anthropic.com>

Author: pavelzeman

test-runner/src/test/kotlin/com/mattermost/networkclient/BearerTokenSanitizationTest.kt

@@ -0,0 +1,157 @@
+package com.mattermost.networkclient
+
+import okhttp3.OkHttpClient
+import okhttp3.Request
+import okhttp3.mockwebserver.MockResponse
+import okhttp3.mockwebserver.MockWebServer
+import okhttp3.Interceptor
+import okhttp3.Response
+import org.junit.Assert
+import org.junit.Test
+
+/**
+ * Tests for bearer token sanitization in BearerTokenInterceptor.
+ *
+ * Reproduces MATTERMOST-MOBILE-ANDROID-AYPW: corrupted tokens containing
+ * non-ASCII control characters (e.g. 0x02) cause OkHttp to throw
+ * IllegalArgumentException when setting the Authorization header.
+ */
+class BearerTokenSanitizationTest {
+
+    /**
+     * Interceptor that sets Authorization header WITHOUT sanitization (broken behavior).
+     */
+    class BrokenTokenInterceptor(private val token: String) : Interceptor {
+        override fun intercept(chain: Interceptor.Chain): Response {
+            val request = chain.request().newBuilder()
+                .header("Authorization", "Bearer $token")
+                .build()
+            return chain.proceed(request)
+        }
+    }
+
+    /**
+     * Interceptor that sanitizes token to ASCII printable characters (fixed behavior).
+     */
+    class FixedTokenInterceptor(private val token: String) : Interceptor {
+        override fun intercept(chain: Interceptor.Chain): Response {
+            val sanitizedToken = token.replace(Regex("[^\\x20-\\x7E]"), "")
+            if (sanitizedToken.isEmpty()) {
+                return chain.proceed(chain.request())
+            }
+            val request = chain.request().newBuilder()
+                .header("Authorization", "Bearer $sanitizedToken")
+                .build()
+            return chain.proceed(request)
+        }
+    }
+
+    @Test
+    fun brokenInterceptor_failsWithControlCharInToken() {
+        val corruptToken = "abc\u0002def"  // Contains 0x02 control character
+
+        val server = MockWebServer()
+        server.enqueue(MockResponse().setBody("ok"))
+        server.start()
+
+        val client = OkHttpClient.Builder()
+            .addInterceptor(BrokenTokenInterceptor(corruptToken))
+            .build()
+
+        val request = Request.Builder()
+            .url(server.url("/test"))
+            .build()
+
+        try {
+            client.newCall(request).execute()
+            Assert.fail("Expected IllegalArgumentException from OkHttp header validation")
+        } catch (e: IllegalArgumentException) {
+            Assert.assertTrue(
+                "Expected error about unexpected char",
+                e.message?.contains("Unexpected char") == true
+            )
+        }
+
+        server.shutdown()
+    }
+
+    @Test
+    fun fixedInterceptor_succeedsWithControlCharInToken() {
+        val corruptToken = "abc\u0002def"
+
+        val server = MockWebServer()
+        server.enqueue(MockResponse().setBody("ok"))
+        server.start()
+
+        val client = OkHttpClient.Builder()
+            .addInterceptor(FixedTokenInterceptor(corruptToken))
+            .build()
+
+        val request = Request.Builder()
+            .url(server.url("/test"))
+            .build()
+
+        val response = client.newCall(request).execute()
+
+        // Should succeed without throwing
+        Assert.assertEquals(200, response.code)
+
+        // Verify the server received the sanitized token
+        val recordedRequest = server.takeRequest()
+        val authHeader = recordedRequest.getHeader("Authorization")
+        Assert.assertEquals("Bearer abcdef", authHeader)
+
+        server.shutdown()
+    }
+
+    @Test
+    fun fixedInterceptor_skipsHeaderWhenTokenIsAllControlChars() {
+        val allControlChars = "\u0001\u0002\u0003"
+
+        val server = MockWebServer()
+        server.enqueue(MockResponse().setBody("ok"))
+        server.start()
+
+        val client = OkHttpClient.Builder()
+            .addInterceptor(FixedTokenInterceptor(allControlChars))
+            .build()
+
+        val request = Request.Builder()
+            .url(server.url("/test"))
+            .build()
+
+        val response = client.newCall(request).execute()
+        Assert.assertEquals(200, response.code)
+
+        // No Authorization header should be set
+        val recordedRequest = server.takeRequest()
+        Assert.assertNull(recordedRequest.getHeader("Authorization"))
+
+        server.shutdown()
+    }
+
+    @Test
+    fun fixedInterceptor_passesCleanTokenUnmodified() {
+        val cleanToken = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.valid.token"
+
+        val server = MockWebServer()
+        server.enqueue(MockResponse().setBody("ok"))
+        server.start()
+
+        val client = OkHttpClient.Builder()
+            .addInterceptor(FixedTokenInterceptor(cleanToken))
+            .build()
+
+        val request = Request.Builder()
+            .url(server.url("/test"))
+            .build()
+
+        val response = client.newCall(request).execute()
+        Assert.assertEquals(200, response.code)
+
+        val recordedRequest = server.takeRequest()
+        Assert.assertEquals("Bearer $cleanToken", recordedRequest.getHeader("Authorization"))
+
+        server.shutdown()
+    }
+}

test-runner/src/test/kotlin/com/mattermost/networkclient/CompressedResponseSizeInterceptorTest.kt

@@ -0,0 +1,166 @@
+package com.mattermost.networkclient
+
+import okhttp3.OkHttpClient
+import okhttp3.Request
+import okhttp3.mockwebserver.MockResponse
+import okhttp3.mockwebserver.MockWebServer
+import okhttp3.Interceptor
+import okhttp3.Response
+import okhttp3.ResponseBody.Companion.toResponseBody
+import org.junit.Assert
+import org.junit.Test
+import java.util.Locale
+
+/**
+ * Standalone test for CompressedResponseSizeInterceptor locale behavior.
+ *
+ * Reproduces MATTERMOST-MOBILE-ANDROID-AZ02: on Arabic-locale devices,
+ * String.format() produces Arabic-Indic digits (U+0660 range) in the
+ * X-Speed-Mbps header, which OkHttp rejects as invalid header characters.
+ */
+class CompressedResponseSizeInterceptorTest {
+
+    /**
+     * Interceptor using the BROKEN locale-dependent formatting.
+     * This is what the code did before the fix.
+     */
+    class BrokenInterceptor : Interceptor {
+        override fun intercept(chain: Interceptor.Chain): Response {
+            val startTime = System.nanoTime()
+            val response = chain.proceed(chain.request())
+            val endTime = System.nanoTime()
+            val elapsedTimeSeconds = (endTime - startTime) / 1_000_000_000.0
+            val compressedSize = response.header("Content-Length")?.toLongOrNull() ?: 0L
+            val speedMbps = if (elapsedTimeSeconds > 0 && compressedSize > 0) {
+                (compressedSize * 8 / elapsedTimeSeconds) / 1_000_000.0
+            } else {
+                0.0
+            }
+            return response.newBuilder()
+                .header("X-Speed-Mbps", "%.4f".format(speedMbps)) // locale-dependent!
+                .build()
+        }
+    }
+
+    /**
+     * Interceptor using the FIXED locale-independent formatting.
+     */
+    class FixedInterceptor : Interceptor {
+        override fun intercept(chain: Interceptor.Chain): Response {
+            val startTime = System.nanoTime()
+            val response = chain.proceed(chain.request())
+            val endTime = System.nanoTime()
+            val elapsedTimeSeconds = (endTime - startTime) / 1_000_000_000.0
+            val compressedSize = response.header("Content-Length")?.toLongOrNull() ?: 0L
+            val speedMbps = if (elapsedTimeSeconds > 0 && compressedSize > 0) {
+                (compressedSize * 8 / elapsedTimeSeconds) / 1_000_000.0
+            } else {
+                0.0
+            }
+            return response.newBuilder()
+                .header("X-Speed-Mbps", String.format(Locale.US, "%.4f", speedMbps))
+                .build()
+        }
+    }
+
+    @Test
+    fun brokenInterceptor_failsWithArabicLocale() {
+        val originalLocale = Locale.getDefault()
+        try {
+            // Set Arabic locale — causes String.format to use Arabic-Indic digits
+            Locale.setDefault(Locale("ar"))
+
+            val server = MockWebServer()
+            server.enqueue(MockResponse()
+                .setBody("hello")
+                .setHeader("Content-Length", "5"))
+            server.start()
+
+            val client = OkHttpClient.Builder()
+                .addInterceptor(BrokenInterceptor())
+                .build()
+
+            val request = Request.Builder()
+                .url(server.url("/test"))
+                .build()
+
+            // The broken interceptor produces Arabic-Indic digits in the header value.
+            // OkHttp's header validation rejects non-ASCII characters.
+            try {
+                client.newCall(request).execute()
+                Assert.fail("Expected IllegalArgumentException from OkHttp header validation")
+            } catch (e: IllegalArgumentException) {
+                Assert.assertTrue(
+                    "Expected error about unexpected char in header value",
+                    e.message?.contains("Unexpected char") == true
+                )
+            }
+
+            server.shutdown()
+        } finally {
+            Locale.setDefault(originalLocale)
+        }
+    }
+
+    @Test
+    fun fixedInterceptor_succeedsWithArabicLocale() {
+        val originalLocale = Locale.getDefault()
+        try {
+            Locale.setDefault(Locale("ar"))
+
+            val server = MockWebServer()
+            server.enqueue(MockResponse()
+                .setBody("hello")
+                .setHeader("Content-Length", "5"))
+            server.start()
+
+            val client = OkHttpClient.Builder()
+                .addInterceptor(FixedInterceptor())
+                .build()
+
+            val request = Request.Builder()
+                .url(server.url("/test"))
+                .build()
+
+            val response = client.newCall(request).execute()
+
+            // Should succeed without throwing
+            val speedHeader = response.header("X-Speed-Mbps")
+            Assert.assertNotNull("X-Speed-Mbps header should be present", speedHeader)
+
+            // Verify the value contains only ASCII characters
+            Assert.assertTrue(
+                "Header value should contain only ASCII: $speedHeader",
+                speedHeader!!.all { it.code in 0x20..0x7E }
+            )
+
+            server.shutdown()
+        } finally {
+            Locale.setDefault(originalLocale)
+        }
+    }
+
+    @Test
+    fun fixedInterceptor_succeedsWithUSLocale() {
+        val server = MockWebServer()
+        server.enqueue(MockResponse()
+            .setBody("hello")
+            .setHeader("Content-Length", "5"))
+        server.start()
+
+        val client = OkHttpClient.Builder()
+            .addInterceptor(FixedInterceptor())
+            .build()
+
+        val request = Request.Builder()
+            .url(server.url("/test"))
+            .build()
+
+        val response = client.newCall(request).execute()
+        val speedHeader = response.header("X-Speed-Mbps")
+        Assert.assertNotNull(speedHeader)
+        Assert.assertTrue(speedHeader!!.all { it.code in 0x20..0x7E })
+
+        server.shutdown()
+    }
+}