parlov 0.7.0

HTTP oracle detection tool — systematic probing for RFC-compliant information leakage.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150

//! Sanity tests for PATCH error-message-granularity (EMG) routes.
//!
//! Validates: 400/404 status diff where body confirms ID resolved before
//! schema validation, and the normalized negative case.

#![deny(clippy::all)]

mod fixtures {
    pub mod patch_server;
}

use fixtures::patch_server::spawn;
use serde_json::json;

// ========================================================================
// /emg/users/{id} — 400 vs 404, body confirms ID resolved before validation
// ========================================================================

#[tokio::test]
async fn emg_patch_users_known_id_returns_400() {
    let addr = spawn().await;
    let resp = reqwest::Client::new()
        .patch(format!("http://{addr}/emg/users/42"))
        .json(&json!({"email": ["invalid_type"]}))
        .send()
        .await
        .expect("request failed");
    assert_eq!(resp.status(), reqwest::StatusCode::BAD_REQUEST);
}

#[tokio::test]
async fn emg_patch_users_unknown_id_returns_404() {
    let addr = spawn().await;
    let resp = reqwest::Client::new()
        .patch(format!("http://{addr}/emg/users/999"))
        .json(&json!({"email": ["invalid_type"]}))
        .send()
        .await
        .expect("request failed");
    assert_eq!(resp.status(), reqwest::StatusCode::NOT_FOUND);
}

#[tokio::test]
async fn emg_patch_users_known_id_body_is_type_error() {
    let addr = spawn().await;
    let resp = reqwest::Client::new()
        .patch(format!("http://{addr}/emg/users/42"))
        .json(&json!({"email": ["invalid_type"]}))
        .send()
        .await
        .expect("request failed");
    assert_eq!(
        resp.headers()["content-type"].to_str().unwrap(),
        "application/json"
    );
    let body: serde_json::Value = resp.json().await.expect("invalid json");
    assert_eq!(
        body["error"],
        "invalid type for field 'email', expected string"
    );
}

#[tokio::test]
async fn emg_patch_users_unknown_id_body_is_not_found() {
    let addr = spawn().await;
    let resp = reqwest::Client::new()
        .patch(format!("http://{addr}/emg/users/999"))
        .json(&json!({"email": ["invalid_type"]}))
        .send()
        .await
        .expect("request failed");
    assert_eq!(
        resp.headers()["content-type"].to_str().unwrap(),
        "application/json"
    );
    let body: serde_json::Value = resp.json().await.expect("invalid json");
    assert_eq!(body["error"], "user not found");
}

// ========================================================================
// /emg/normalized/{id} — negative case: identical 404 for both IDs
// ========================================================================

#[tokio::test]
async fn emg_patch_normalized_known_id_returns_404() {
    let addr = spawn().await;
    let resp = reqwest::Client::new()
        .patch(format!("http://{addr}/emg/normalized/42"))
        .json(&json!({"email": ["invalid_type"]}))
        .send()
        .await
        .expect("request failed");
    assert_eq!(resp.status(), reqwest::StatusCode::NOT_FOUND);
}

#[tokio::test]
async fn emg_patch_normalized_unknown_id_returns_404() {
    let addr = spawn().await;
    let resp = reqwest::Client::new()
        .patch(format!("http://{addr}/emg/normalized/999"))
        .json(&json!({"email": ["invalid_type"]}))
        .send()
        .await
        .expect("request failed");
    assert_eq!(resp.status(), reqwest::StatusCode::NOT_FOUND);
}

#[tokio::test]
async fn emg_patch_normalized_both_ids_have_identical_body() {
    let addr = spawn().await;
    let known_body = reqwest::Client::new()
        .patch(format!("http://{addr}/emg/normalized/42"))
        .json(&json!({}))
        .send()
        .await
        .expect("request failed")
        .bytes()
        .await
        .expect("body read failed");
    let unknown_body = reqwest::Client::new()
        .patch(format!("http://{addr}/emg/normalized/999"))
        .json(&json!({}))
        .send()
        .await
        .expect("request failed")
        .bytes()
        .await
        .expect("body read failed");
    assert_eq!(
        known_body, unknown_body,
        "normalized route must return identical bodies for all IDs"
    );
}

#[tokio::test]
async fn emg_patch_normalized_body_content() {
    let addr = spawn().await;
    let resp = reqwest::Client::new()
        .patch(format!("http://{addr}/emg/normalized/42"))
        .json(&json!({}))
        .send()
        .await
        .expect("request failed");
    assert_eq!(
        resp.headers()["content-type"].to_str().unwrap(),
        "application/json"
    );
    let body: serde_json::Value = resp.json().await.expect("invalid json");
    assert_eq!(body["error"], "not found");
}