fix(method): disallow invalid HTTP method chars

Author: spaceone

httoop/messages/method.py

@@ -31,7 +31,7 @@ def idempotent(self) -> bool:
 
     safe_methods = ('GET', 'HEAD', 'SEARCH')
     idempotent_methods = ('GET', 'HEAD', 'PUT', 'DELETE', 'OPTIONS', 'TRACE', 'SEARCH')
-    METHOD_RE = re.compile(rb'^[A-Z0-9$-_.]{1,20}\Z', re.IGNORECASE)
+    METHOD_RE = re.compile(rb'^[A-Z0-9$_.-]{1,20}\Z', re.IGNORECASE)
 
     def __init__(self, method: str | None = None) -> None:
         self.set(method or 'GET')

tests/messaging/test_request_method.py

@@ -1,7 +1,11 @@
+import string
+
 import pytest
 
 from httoop.exceptions import InvalidLine
 
+VALID_METHOD_CHARS = string.ascii_letters + string.digits + '$-_.'
+
 
 def test_method_format(request_):
     assert f'{request_.method}' == 'GET'
@@ -10,11 +14,18 @@ def test_method_format(request_):
 def test_method_maxlength(request_):
     with pytest.raises(InvalidLine):
         request_.method.parse(b'A' * 21)
+    request_.method.parse(b'A' * 20)
+
+
+@pytest.mark.parametrize('char', list(VALID_METHOD_CHARS))
+def test_method_valid_characters(request_, char):
+    request_.parse(b'G%bET / HTTP/1.1' % char.encode('ASCII'))
 
 
-def test_method_valid_characters(request_):
+@pytest.mark.parametrize('char', set(''.join(map(chr, range(256)))) - set(VALID_METHOD_CHARS))
+def test_method_invalid_characters(request_, char):
     with pytest.raises(InvalidLine):
-        request_.parse(b'G\x01ET / HTTP/1.1')
+        request_.parse(b'G%bET / HTTP/1.1' % char.encode('ISO8859-1'))
 
 
 def test_request_on_safe_method_containing_request_body():