parlov 0.4.0

HTTP oracle detection tool — systematic probing for RFC-compliant information leakage.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

//! Sanity-check tests for the RFC-compliant PATCH test server.
//!
//! Each test spawns an isolated server instance, sends a PATCH request with a
//! known or unknown ID, and asserts the expected status code. No oracle types
//! are used — raw reqwest only.

#![deny(clippy::all)]

mod fixtures {
    pub mod patch_server;
}

use fixtures::patch_server::spawn;
use serde_json::json;

// --- /resource/{id} ---

#[tokio::test]
async fn patch_resource_known_id_returns_422() {
    let addr = spawn().await;
    let resp = reqwest::Client::new()
        .patch(format!("http://{addr}/resource/42"))
        .json(&json!({"role": "invalid_role"}))
        .send()
        .await
        .expect("request failed");
    assert_eq!(resp.status(), reqwest::StatusCode::UNPROCESSABLE_ENTITY);
}

#[tokio::test]
async fn patch_resource_unknown_id_returns_404() {
    let addr = spawn().await;
    let resp = reqwest::Client::new()
        .patch(format!("http://{addr}/resource/999"))
        .json(&json!({"role": "invalid_role"}))
        .send()
        .await
        .expect("request failed");
    assert_eq!(resp.status(), reqwest::StatusCode::NOT_FOUND);
}

// --- /creating/{id} ---

#[tokio::test]
async fn patch_creating_known_id_returns_422() {
    let addr = spawn().await;
    let resp = reqwest::Client::new()
        .patch(format!("http://{addr}/creating/42"))
        .json(&json!({"role": "invalid_role"}))
        .send()
        .await
        .expect("request failed");
    assert_eq!(resp.status(), reqwest::StatusCode::UNPROCESSABLE_ENTITY);
}

#[tokio::test]
async fn patch_creating_unknown_id_returns_201() {
    let addr = spawn().await;
    let resp = reqwest::Client::new()
        .patch(format!("http://{addr}/creating/999"))
        .json(&json!({"role": "invalid_role"}))
        .send()
        .await
        .expect("request failed");
    assert_eq!(resp.status(), reqwest::StatusCode::CREATED);
}

// --- /normalized/{id} (negative case — always 404) ---

#[tokio::test]
async fn patch_normalized_returns_404() {
    let addr = spawn().await;
    let resp = reqwest::Client::new()
        .patch(format!("http://{addr}/normalized/42"))
        .json(&json!({"role": "invalid_role"}))
        .send()
        .await
        .expect("request failed");
    assert_eq!(resp.status(), reqwest::StatusCode::NOT_FOUND);
}