TestCheckResponse_LargeBodyTruncated verifies that CheckResponse reads at most maxErrorBodySize bytes from an error response body, so that a malicious or buggy server cannot cause the client to allocate unbounded memory.
(t *testing.T)
| 3891 | // malicious or buggy server cannot cause the client to allocate unbounded |
| 3892 | // memory. |
| 3893 | func TestCheckResponse_LargeBodyTruncated(t *testing.T) { |
| 3894 | t.Parallel() |
| 3895 | // Build a body that is one byte larger than the cap. |
| 3896 | body := strings.Repeat("x", maxErrorBodySize+1) |
| 3897 | res := &http.Response{ |
| 3898 | Request: &http.Request{}, |
| 3899 | StatusCode: http.StatusBadRequest, |
| 3900 | Body: io.NopCloser(strings.NewReader(body)), |
| 3901 | } |
| 3902 | |
| 3903 | // CheckResponse should not return an error from the read itself; the HTTP |
| 3904 | // error status is the expected error. |
| 3905 | if err := CheckResponse(res); err == nil { |
| 3906 | t.Fatal("Expected error from CheckResponse, got nil") |
| 3907 | } |
| 3908 | |
| 3909 | // After CheckResponse, the body is restored with the (truncated) bytes that |
| 3910 | // were actually read. Verify the restored body is exactly maxErrorBodySize |
| 3911 | // bytes — not the full maxErrorBodySize+1 that the server sent. |
| 3912 | restored, err := io.ReadAll(res.Body) |
| 3913 | if err != nil { |
| 3914 | t.Fatalf("io.ReadAll on restored body: %v", err) |
| 3915 | } |
| 3916 | if got, want := len(restored), maxErrorBodySize; got != want { |
| 3917 | t.Errorf("restored body length = %v, want %v (maxErrorBodySize)", got, want) |
| 3918 | } |
| 3919 | } |
| 3920 | |
| 3921 | func TestParseBooleanResponse_true(t *testing.T) { |
| 3922 | t.Parallel() |
nothing calls this directly
no test coverage detected
searching dependent graphs…