parlov 0.3.0

HTTP oracle detection tool — systematic probing for RFC-compliant information leakage.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137

//! Integration tests for the DELETE existence oracle pipeline.
//!
//! Each test spawns an isolated RFC-compliant DELETE server, drives the adaptive
//! sampling loop via `evaluate`, and asserts the final verdict and severity.

#![deny(clippy::all)]

mod fixtures {
    pub mod delete_server;
}

use fixtures::delete_server::spawn;
use http::{HeaderMap, Method};
use parlov_analysis::existence::ExistenceAnalyzer;
use parlov_analysis::{Analyzer, SampleDecision};
use parlov_core::{OracleResult, OracleVerdict, ProbeDefinition, ProbeSet, Severity};
use parlov_probe::http::HttpProbe;
use parlov_probe::Probe;

// --- helpers ---

fn def(url: String) -> ProbeDefinition {
    ProbeDefinition {
        url,
        method: Method::DELETE,
        headers: HeaderMap::new(),
        body: None,
    }
}

/// Adaptive sampling loop matching the binary's `collect_until_verdict` pattern.
async fn collect_until_verdict(
    route_template: &str,
    baseline_id: &str,
    probe_id: &str,
    addr: std::net::SocketAddr,
) -> OracleResult {
    let client = HttpProbe::new();
    let analyzer = ExistenceAnalyzer;
    let baseline_url = format!("http://{addr}{}", route_template.replace("{id}", baseline_id));
    let probe_url = format!("http://{addr}{}", route_template.replace("{id}", probe_id));
    let mut probe_set = ProbeSet {
        baseline: Vec::new(),
        probe: Vec::new(),
    };

    loop {
        let b = client.execute(&def(baseline_url.clone())).await.expect("baseline request failed");
        let p = client.execute(&def(probe_url.clone())).await.expect("probe request failed");
        probe_set.baseline.push(b);
        probe_set.probe.push(p);

        if let SampleDecision::Complete(result) = analyzer.evaluate(&probe_set) {
            return result;
        }
    }
}

// --- 405 vs 404 → Confirmed / Medium ---

#[tokio::test]
async fn delete_405_vs_404_confirmed_medium() {
    let addr = spawn().await;
    let result = collect_until_verdict("/resource/{id}", "42", "999", addr).await;
    assert_eq!(result.verdict, OracleVerdict::Confirmed);
    assert_eq!(result.severity, Some(Severity::Medium));
}

// --- normalized (always 404) → NotPresent ---

#[tokio::test]
async fn delete_normalized_not_present() {
    let addr = spawn().await;
    let result = collect_until_verdict("/normalized/{id}", "42", "999", addr).await;
    assert_eq!(result.verdict, OracleVerdict::NotPresent);
    assert_eq!(result.severity, None);
}

// --- 204 vs 404 → Confirmed / Medium ---

#[tokio::test]
async fn delete_204_vs_404_confirmed_medium() {
    let addr = spawn().await;
    let result = collect_until_verdict("/deletable/{id}", "42", "999", addr).await;
    assert_eq!(result.verdict, OracleVerdict::Confirmed);
    assert_eq!(result.severity, Some(Severity::Medium));
    assert!(result.label.is_some());
    assert!(result.rfc_basis.is_some());
}

// --- 200 vs 404 → Confirmed / High ---

#[tokio::test]
async fn delete_200_vs_404_confirmed_high() {
    let addr = spawn().await;
    let result = collect_until_verdict("/deletable-200/{id}", "42", "999", addr).await;
    assert_eq!(result.verdict, OracleVerdict::Confirmed);
    assert_eq!(result.severity, Some(Severity::High));
    assert!(result.label.is_some());
    assert!(result.rfc_basis.is_some());
}

// --- 202 vs 404 → Confirmed / Medium ---

#[tokio::test]
async fn delete_202_vs_404_confirmed_medium() {
    let addr = spawn().await;
    let result = collect_until_verdict("/async-delete/{id}", "42", "999", addr).await;
    assert_eq!(result.verdict, OracleVerdict::Confirmed);
    assert_eq!(result.severity, Some(Severity::Medium));
    assert!(result.label.is_some());
    assert!(result.rfc_basis.is_some());
}

// --- 409 vs 404 → Confirmed / High ---

#[tokio::test]
async fn delete_409_vs_404_confirmed_high() {
    let addr = spawn().await;
    let result = collect_until_verdict("/has-deps/{id}", "42", "999", addr).await;
    assert_eq!(result.verdict, OracleVerdict::Confirmed);
    assert_eq!(result.severity, Some(Severity::High));
    assert!(result.label.is_some());
    assert!(result.rfc_basis.is_some());
}

// --- 403 vs 404 → Confirmed / High ---

#[tokio::test]
async fn delete_403_vs_404_confirmed_high() {
    let addr = spawn().await;
    let result = collect_until_verdict("/forbidden/{id}", "42", "999", addr).await;
    assert_eq!(result.verdict, OracleVerdict::Confirmed);
    assert_eq!(result.severity, Some(Severity::High));
    assert!(result.label.is_some());
    assert!(result.rfc_basis.is_some());
}