parlov 0.3.0

HTTP oracle detection tool — systematic probing for RFC-compliant information leakage.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306

//! Integration tests for the GET existence oracle pipeline.
//!
//! Each test spawns an isolated RFC-compliant server, drives the adaptive sampling
//! loop via `evaluate`, and asserts the final verdict and severity.

#![deny(clippy::all)]

mod fixtures {
    pub mod get_server;
}

use bytes::Bytes;
use fixtures::get_server::spawn;
use http::{HeaderMap, Method};
use parlov_analysis::existence::ExistenceAnalyzer;
use parlov_analysis::{Analyzer, SampleDecision};
use parlov_core::{OracleResult, OracleVerdict, ProbeDefinition, ProbeSet, ResponseSurface, Severity};
use parlov_probe::http::HttpProbe;
use parlov_probe::Probe;
use reqwest::redirect;

// --- helpers ---

fn def(url: String) -> ProbeDefinition {
    ProbeDefinition {
        url,
        method: Method::GET,
        headers: HeaderMap::new(),
        body: None,
    }
}

/// Adaptive sampling loop matching the binary's `collect_until_verdict` pattern.
async fn collect_until_verdict(baseline_url: String, probe_url: String) -> OracleResult {
    let client = HttpProbe::new();
    let analyzer = ExistenceAnalyzer;
    let mut probe_set = ProbeSet {
        baseline: Vec::new(),
        probe: Vec::new(),
    };

    loop {
        let b = client.execute(&def(baseline_url.clone())).await.expect("baseline request failed");
        let p = client.execute(&def(probe_url.clone())).await.expect("probe request failed");
        probe_set.baseline.push(b);
        probe_set.probe.push(p);

        if let SampleDecision::Complete(result) = analyzer.evaluate(&probe_set) {
            return result;
        }
    }
}

/// Like `collect_until_verdict` but with a client that does not follow redirects.
async fn collect_no_redirect(baseline_url: String, probe_url: String) -> OracleResult {
    let client = HttpProbe::with_client(
        reqwest::Client::builder()
            .redirect(redirect::Policy::none())
            .build()
            .expect("client build failed"),
    );
    let analyzer = ExistenceAnalyzer;
    let mut probe_set = ProbeSet {
        baseline: Vec::new(),
        probe: Vec::new(),
    };
    loop {
        let b = client.execute(&def(baseline_url.clone())).await.expect("baseline failed");
        let p = client.execute(&def(probe_url.clone())).await.expect("probe failed");
        probe_set.baseline.push(b);
        probe_set.probe.push(p);
        if let SampleDecision::Complete(result) = analyzer.evaluate(&probe_set) {
            return result;
        }
    }
}

fn fake_surface(status: u16) -> ResponseSurface {
    ResponseSurface {
        status: http::StatusCode::from_u16(status).expect("valid status"),
        headers: HeaderMap::new(),
        body: Bytes::new(),
        timing_ns: 0,
    }
}

// --- 403 vs 404 → Confirmed / High ---

#[tokio::test]
async fn oracle_403_vs_404_confirmed_high() {
    let addr = spawn().await;
    let result = collect_until_verdict(
        format!("http://{addr}/oracle/42"),
        format!("http://{addr}/oracle/999"),
    )
    .await;
    assert_eq!(result.verdict, OracleVerdict::Confirmed);
    assert_eq!(result.severity, Some(Severity::High));
}

// --- 200 vs 404 → Confirmed / High ---

#[tokio::test]
async fn public_200_vs_404_confirmed_high() {
    let addr = spawn().await;
    let result = collect_until_verdict(
        format!("http://{addr}/public/42"),
        format!("http://{addr}/public/999"),
    )
    .await;
    assert_eq!(result.verdict, OracleVerdict::Confirmed);
    assert_eq!(result.severity, Some(Severity::High));
}

// --- 401 vs 404 → Confirmed / High ---

#[tokio::test]
async fn protected_401_vs_404_confirmed_high() {
    let addr = spawn().await;
    let result = collect_until_verdict(
        format!("http://{addr}/protected/42"),
        format!("http://{addr}/protected/999"),
    )
    .await;
    assert_eq!(result.verdict, OracleVerdict::Confirmed);
    assert_eq!(result.severity, Some(Severity::High));
}

// --- 410 vs 404 → Confirmed / Medium ---

#[tokio::test]
async fn archive_410_vs_404_confirmed_medium() {
    let addr = spawn().await;
    let result = collect_until_verdict(
        format!("http://{addr}/archive/42"),
        format!("http://{addr}/archive/999"),
    )
    .await;
    assert_eq!(result.verdict, OracleVerdict::Confirmed);
    assert_eq!(result.severity, Some(Severity::Medium));
}

// --- 429 vs 404 → Likely / Medium ---

#[tokio::test]
async fn metered_429_vs_404_likely_medium() {
    let addr = spawn().await;
    let result = collect_until_verdict(
        format!("http://{addr}/metered/42"),
        format!("http://{addr}/metered/999"),
    )
    .await;
    assert_eq!(result.verdict, OracleVerdict::Likely);
    assert_eq!(result.severity, Some(Severity::Medium));
}

// --- 500 vs 404 → Confirmed / Medium ---

#[tokio::test]
async fn broken_500_vs_404_confirmed_medium() {
    let addr = spawn().await;
    let result = collect_until_verdict(
        format!("http://{addr}/broken/42"),
        format!("http://{addr}/broken/999"),
    )
    .await;
    assert_eq!(result.verdict, OracleVerdict::Confirmed);
    assert_eq!(result.severity, Some(Severity::Medium));
}

// --- 402 vs 404 → Likely / Medium ---

#[tokio::test]
async fn premium_402_vs_404_likely_medium() {
    let addr = spawn().await;
    let result = collect_until_verdict(
        format!("http://{addr}/premium/42"),
        format!("http://{addr}/premium/999"),
    )
    .await;
    assert_eq!(result.verdict, OracleVerdict::Likely);
    assert_eq!(result.severity, Some(Severity::Medium));
}

// --- same vs same → NotPresent ---

#[tokio::test]
async fn normalized_same_same_not_present() {
    let addr = spawn().await;
    let result = collect_until_verdict(
        format!("http://{addr}/normalized/42"),
        format!("http://{addr}/normalized/999"),
    )
    .await;
    assert_eq!(result.verdict, OracleVerdict::NotPresent);
    assert_eq!(result.severity, None);
}

// --- unrecognised diff → Likely / Low ---

#[tokio::test]
async fn unrecognised_diff_likely_low() {
    // Synthetic ProbeSet with a status pair not matching any known pattern (418 vs 404).
    // Classifier catch-all: Likely / Low for any unrecognised differential.
    let probe_set = ProbeSet {
        baseline: vec![fake_surface(418), fake_surface(418), fake_surface(418)],
        probe: vec![fake_surface(404), fake_surface(404), fake_surface(404)],
    };
    let result = ExistenceAnalyzer.analyze(&probe_set);
    assert_eq!(result.verdict, OracleVerdict::Likely);
    assert_eq!(result.severity, Some(Severity::Low));
}

// --- 206 vs 404 → Confirmed / High ---

#[tokio::test]
async fn ranged_206_vs_404_confirmed_high() {
    let addr = spawn().await;
    let result = collect_until_verdict(
        format!("http://{addr}/ranged/42"),
        format!("http://{addr}/ranged/999"),
    )
    .await;
    assert_eq!(result.verdict, OracleVerdict::Confirmed);
    assert_eq!(result.severity, Some(Severity::High));
    assert!(result.label.is_some());
    assert!(result.rfc_basis.is_some());
}

// --- 301 vs 404 → Confirmed / Medium ---

#[tokio::test]
async fn redirected_301_vs_404_confirmed_medium() {
    let addr = spawn().await;
    let result = collect_no_redirect(
        format!("http://{addr}/redirected/42"),
        format!("http://{addr}/redirected/999"),
    )
    .await;
    assert_eq!(result.verdict, OracleVerdict::Confirmed);
    assert_eq!(result.severity, Some(Severity::Medium));
    assert!(result.label.is_some());
    assert!(result.rfc_basis.is_some());
}

// --- 304 vs 404 → Confirmed / High ---

#[tokio::test]
async fn conditional_304_vs_404_confirmed_high() {
    let addr = spawn().await;
    let result = collect_until_verdict(
        format!("http://{addr}/conditional/42"),
        format!("http://{addr}/conditional/999"),
    )
    .await;
    assert_eq!(result.verdict, OracleVerdict::Confirmed);
    assert_eq!(result.severity, Some(Severity::High));
    assert!(result.label.is_some());
    assert!(result.rfc_basis.is_some());
}

// --- 406 vs 404 → Confirmed / High ---

#[tokio::test]
async fn negotiated_406_vs_404_confirmed_high() {
    let addr = spawn().await;
    let result = collect_until_verdict(
        format!("http://{addr}/negotiated/42"),
        format!("http://{addr}/negotiated/999"),
    )
    .await;
    assert_eq!(result.verdict, OracleVerdict::Confirmed);
    assert_eq!(result.severity, Some(Severity::High));
    assert!(result.label.is_some());
    assert!(result.rfc_basis.is_some());
}

// --- 400 vs 404 → Likely / Low (wildcard, not in pattern table) ---

#[tokio::test]
async fn validated_400_vs_404_likely_low() {
    let addr = spawn().await;
    let result = collect_until_verdict(
        format!("http://{addr}/validated/42"),
        format!("http://{addr}/validated/999"),
    )
    .await;
    assert_eq!(result.verdict, OracleVerdict::Likely);
    assert_eq!(result.severity, Some(Severity::Low));
}

// --- 416 vs 404 → Confirmed / Medium ---

#[tokio::test]
async fn range_invalid_416_vs_404_confirmed_medium() {
    let addr = spawn().await;
    let result = collect_until_verdict(
        format!("http://{addr}/range-invalid/42"),
        format!("http://{addr}/range-invalid/999"),
    )
    .await;
    assert_eq!(result.verdict, OracleVerdict::Confirmed);
    assert_eq!(result.severity, Some(Severity::Medium));
    assert!(result.label.is_some());
    assert!(result.rfc_basis.is_some());
}