Adding content length edge cases (#3147)

* adding content length edge cases * fixing CL behavior * suppressing -1 error * fixing path
2023-01-07 13:36:44 +01:00 · 2023-01-07 13:36:44 +01:00 · d956275e98
parent 5e70f74aff
commit d956275e98
3 changed files with 76 additions and 0 deletions
--- a/integration_tests/http/cl-body-with-header.yaml
+++ b/integration_tests/http/cl-body-with-header.yaml
@ -0,0 +1,15 @@
+id: cl-body-with-header
+
+info:
+  name: CL Get Request - Body with header
+  author: pdteam
+  severity: info
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+    matchers:
+      - type: dsl
+        dsl:
+          - "content_length==50000 && len(body)==14"
--- a/integration_tests/http/cl-body-without-header.yaml
+++ b/integration_tests/http/cl-body-without-header.yaml
@ -0,0 +1,15 @@
+id: cl-body-without-header
+
+info:
+  name: CL Get Request - Body without header
+  author: pdteam
+  severity: info
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+    matchers:
+      - type: dsl
+        dsl:
+          - "content_length==14"
--- a/v2/cmd/integration-test/http.go
+++ b/v2/cmd/integration-test/http.go
@ -14,6 +14,7 @@ import (
 	"github.com/julienschmidt/httprouter"

 	"github.com/projectdiscovery/nuclei/v2/pkg/testutils"
+	logutil "github.com/projectdiscovery/utils/log"
 	stringsutil "github.com/projectdiscovery/utils/strings"
 )

@ -59,6 +60,8 @@ var httpTestcases = map[string]testutils.TestCase{
 	"http/custom-attack-type.yaml":                  &customAttackType{},
 	"http/get-all-ips.yaml":                         &scanAllIPS{},
 	"http/get-without-scheme.yaml":                  &httpGetWithoutScheme{},
+	"http/cl-body-without-header.yaml":              &httpCLBodyWithoutHeader{},
+	"http/cl-body-with-header.yaml":                 &httpCLBodyWithHeader{},
 }

 type httpInteractshRequest struct{}
@ -1037,3 +1040,46 @@ func (h *httpGetWithoutScheme) Execute(filePath string) error {
 	}
 	return expectResultsCount(got, 1)
 }
+
+// content-length in case the response has no header but has a body
+type httpCLBodyWithoutHeader struct{}
+
+// Execute executes a test case and returns an error if occurred
+func (h *httpCLBodyWithoutHeader) Execute(filePath string) error {
+	logutil.DisableDefaultLogger()
+	defer logutil.EnableDefaultLogger()
+
+	router := httprouter.New()
+	router.GET("/", func(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+		w.Header()["Content-Length"] = []string{"-1"}
+		fmt.Fprintf(w, "this is a test")
+	})
+	ts := httptest.NewTLSServer(router)
+	defer ts.Close()
+
+	got, err := testutils.RunNucleiTemplateAndGetResults(filePath, ts.URL, debug)
+	if err != nil {
+		return err
+	}
+	return expectResultsCount(got, 1)
+}
+
+// content-length in case the response has content-length header and a body
+type httpCLBodyWithHeader struct{}
+
+// Execute executes a test case and returns an error if occurred
+func (h *httpCLBodyWithHeader) Execute(filePath string) error {
+	router := httprouter.New()
+	router.GET("/", func(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+		w.Header()["Content-Length"] = []string{"50000"}
+		fmt.Fprintf(w, "this is a test")
+	})
+	ts := httptest.NewTLSServer(router)
+	defer ts.Close()
+
+	got, err := testutils.RunNucleiTemplateAndGetResults(filePath, ts.URL, debug)
+	if err != nil {
+		return err
+	}
+	return expectResultsCount(got, 1)
+}