httpbin does not reflect requests perfectly #198

theseion · 2023-11-06T06:30:28Z

httpbin usually returns the request data in the response exactly as sent. At least in case of Unicode that is not true, unfortunately. Example:

curl -X POST "https://httpbin.org/anything" --json '{"über": "bort"}'
{
  "args": {},
  "data": "{\"\u00fcber\": \"bort\"}",
  "files": {},
  "form": {},
  "headers": {
    "Accept": "application/json",
    "Content-Length": "17",
    "Content-Type": "application/json",
    "Host": "httpbin.org",
    "User-Agent": "curl/8.1.2",
    "X-Amzn-Trace-Id": "Root=1-6548859d-09da901d70e79647362f7b83"
  },
  "json": {
    "\u00fcber": "bort"
  },
  "method": "POST",
  "origin": "89.133.9.17",
  "url": "https://httpbin.org/anything"
}

The Unicode sequence is returned as a backslash escape sequence instead. That is semantically correct but bad for testing. We need to find a way around this.

M4tteoP · 2023-12-30T17:17:32Z

The httpbin go port (go-httpbin) is behaving in a better way:

▶ go run github.com/mccutchen/go-httpbin/v2/cmd/go-httpbin@v2.9 -port 8080 & 
▶ curl -X POST localhost:8080/anything --json '{"über": "bort"}'
{
  "args": {},
  "headers": {
    "Accept": [
      "application/json"
    ],
    "Content-Length": [
      "17"
    ],
    "Content-Type": [
      "application/json"
    ],
    "Host": [
      "localhost:8080"
    ],
    "User-Agent": [
      "curl/8.1.2"
    ]
  },
  "method": "POST",
  "origin": "127.0.0.1:54971",
  "url": "http://localhost:8080/anything",
  "data": "{\"über\": \"bort\"}",
  "files": null,
  "form": null,
  "json": {
    "über": "bort"
  }
}

Around Coraza we are already using it in some places as the backend to test the CRS, moving to it should be pretty smooth

theseion · 2024-01-05T19:34:35Z

Great! I'll take a look.

httpbin does not properly reflect Unicode sequences but returns JSON Unicode escape sequences instead. This can break response tests that rely on the data in the response to be an exact copy of the request data. See coreruleset/go-ftw#198. This PR switches the backend for tests from httpbin to the go-httpbin port, as the port behaves correctly.

theseion · 2024-01-07T14:56:48Z

coreruleset/coreruleset#3464 fixes the issue for the CRS test suite but is not a generic solution for go-ftw.

httpbin does not properly reflect Unicode sequences but returns JSON Unicode escape sequences instead. This can break response tests that rely on the data in the response to be an exact copy of the request data. See coreruleset/go-ftw#198. This PR switches the backend for tests from httpbin to the go-httpbin port, as the port behaves correctly.

theseion · 2024-06-05T19:00:27Z

We now have albedo.

theseion mentioned this issue Jan 7, 2024

fix: JSON Unicode reflection for tests coreruleset/coreruleset#3464

Merged

theseion closed this as completed Jun 5, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

httpbin does not reflect requests perfectly #198

httpbin does not reflect requests perfectly #198

theseion commented Nov 6, 2023

M4tteoP commented Dec 30, 2023 •

edited

theseion commented Jan 5, 2024

theseion commented Jan 7, 2024

theseion commented Jun 5, 2024

httpbin does not reflect requests perfectly #198

httpbin does not reflect requests perfectly #198

Comments

theseion commented Nov 6, 2023

M4tteoP commented Dec 30, 2023 • edited

theseion commented Jan 5, 2024

theseion commented Jan 7, 2024

theseion commented Jun 5, 2024

M4tteoP commented Dec 30, 2023 •

edited