wafrift-encoding 0.2.15

Payload encoding strategies and header obfuscation for WAF evasion.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150

//! Regression coverage for the 2026-05-10 credibility audit finding:
//!   MEDIUM: `validate_in_context()` in encoding/contextual.rs had four
//!     `// TODO: validate ...` arms (`XmlCdata`, `XmlText`, `HtmlAttribute`,
//!     `HtmlText`) that were no-op stubs. A direct caller of
//!     `validate_in_context` (not via `encode_in_context`) would receive
//!     Ok(()) for clearly-broken payloads — the function pretended to
//!     validate but did nothing. For a public crate that ships an
//!     `escape_for_context` + `validate_in_context` pair, that's a
//!     credibility hole: the validator was a smoke alarm wired to
//!     nothing.
//!
//! Pre-fix all of these tests would have passed `Ok()` instead of
//! returning the explicit Err.

use wafrift_encoding::contextual::validate_in_context;
use wafrift_types::injection_context::InjectionContext;

// ── XmlCdata: `]]>` would terminate the section ─────────────────────

#[test]
fn xml_cdata_rejects_terminator_sequence() {
    let err = validate_in_context("safe ]]> evil", InjectionContext::XmlCdata)
        .expect_err("must reject CDATA terminator");
    assert!(format!("{err}").contains("]]>"));
}

#[test]
fn xml_cdata_accepts_clean_payload() {
    validate_in_context("clean cdata content", InjectionContext::XmlCdata)
        .expect("clean payload must pass");
}

// ── XmlText: unescaped `<` and `&` ──────────────────────────────────

#[test]
fn xml_text_rejects_raw_lt() {
    let err = validate_in_context("a < b", InjectionContext::XmlText)
        .expect_err("must reject unescaped <");
    assert!(format!("{err}").contains('<'));
}

#[test]
fn xml_text_rejects_unescaped_ampersand() {
    let _err = validate_in_context("rock & roll", InjectionContext::XmlText)
        .expect_err("must reject unescaped &");
}

#[test]
fn xml_text_accepts_proper_entity_references() {
    validate_in_context("&amp; and &lt;", InjectionContext::XmlText)
        .expect("named entities must pass");
    validate_in_context("&#65; and &#x41;", InjectionContext::XmlText)
        .expect("numeric and hex entities must pass");
}

// ── HtmlAttribute: <, ", ', and unescaped & all break out ───────────

#[test]
fn html_attribute_rejects_raw_lt() {
    let err = validate_in_context("a < b", InjectionContext::HtmlAttribute)
        .expect_err("must reject <");
    assert!(format!("{err}").contains('<'));
}

#[test]
fn html_attribute_rejects_double_quote() {
    let err = validate_in_context("hello \"world\"", InjectionContext::HtmlAttribute)
        .expect_err("must reject double-quote attr breakout");
    assert!(format!("{err}").contains('"'));
}

#[test]
fn html_attribute_rejects_single_quote() {
    let err = validate_in_context("don't", InjectionContext::HtmlAttribute)
        .expect_err("must reject single-quote attr breakout");
    assert!(format!("{err}").contains('\''));
}

#[test]
fn html_attribute_rejects_unescaped_ampersand() {
    let _err = validate_in_context("a & b", InjectionContext::HtmlAttribute)
        .expect_err("must reject unescaped &");
}

#[test]
fn html_attribute_accepts_clean_value() {
    validate_in_context("clean value", InjectionContext::HtmlAttribute)
        .expect("clean payload must pass");
    validate_in_context("with &amp; entity", InjectionContext::HtmlAttribute)
        .expect("entity references must pass");
}

// ── HtmlText: < and unescaped & ─────────────────────────────────────

#[test]
fn html_text_rejects_raw_lt() {
    let err = validate_in_context("<script>", InjectionContext::HtmlText)
        .expect_err("must reject < (would start tag)");
    assert!(format!("{err}").contains('<'));
}

#[test]
fn html_text_rejects_unescaped_ampersand() {
    let _err = validate_in_context("AT&T", InjectionContext::HtmlText)
        .expect_err("must reject unescaped &");
}

#[test]
fn html_text_accepts_clean_text_and_entities() {
    validate_in_context("plain text only", InjectionContext::HtmlText)
        .expect("clean text must pass");
    validate_in_context(
        "AT&amp;T and &lt;br&gt; and &#x2014;",
        InjectionContext::HtmlText,
    )
    .expect("entity-encoded text must pass");
}

// ── Round-trip with escape_for_context ──────────────────────────────

#[test]
fn escape_then_validate_round_trip_html_attr() {
    use wafrift_encoding::contextual::escape_for_context;
    // The contract: escape_for_context output must always pass
    // validate_in_context. If this regresses, the whole pair is a
    // smoke alarm wired to nothing.
    let dangerous = r#"<script>alert("xss")</script> & 'oops'"#;
    let escaped =
        escape_for_context(dangerous, InjectionContext::HtmlAttribute).expect("escape ok");
    validate_in_context(&escaped, InjectionContext::HtmlAttribute)
        .expect("escape output must pass validate");
}

#[test]
fn escape_then_validate_round_trip_html_text() {
    use wafrift_encoding::contextual::escape_for_context;
    let dangerous = "<a>AT&T</a>";
    let escaped = escape_for_context(dangerous, InjectionContext::HtmlText).expect("escape ok");
    validate_in_context(&escaped, InjectionContext::HtmlText)
        .expect("escape output must pass validate");
}

#[test]
fn escape_then_validate_round_trip_xml_text() {
    use wafrift_encoding::contextual::escape_for_context;
    let dangerous = "<root>a & b</root>";
    let escaped = escape_for_context(dangerous, InjectionContext::XmlText).expect("escape ok");
    validate_in_context(&escaped, InjectionContext::XmlText)
        .expect("escape output must pass validate");
}