(f *testing.F)
| 239 | } |
| 240 | |
| 241 | func FuzzAtomicLevelServeHTTP(f *testing.F) { |
| 242 | f.Add(`{"level":"info"}`) |
| 243 | f.Add(`{"level":"warn"}`) |
| 244 | f.Add(`{"level":"<script>alert(\"malicious\")</script>"}`) |
| 245 | f.Fuzz(func(t *testing.T, input string) { |
| 246 | lvl := zap.NewAtomicLevel() |
| 247 | |
| 248 | resw := httptest.NewRecorder() |
| 249 | req, err := http.NewRequest(http.MethodPut, "http://localhost:9999/log/level", strings.NewReader(input)) |
| 250 | require.NoError(t, err, "Error constructing request.") |
| 251 | |
| 252 | lvl.ServeHTTP(resw, req) |
| 253 | |
| 254 | require.NotEqual(t, http.StatusInternalServerError, resw.Code, "Unexpected status code.") |
| 255 | |
| 256 | // Response body must never contain HTML tags. |
| 257 | assert.NotRegexp(t, `<[^>]+>`, resw.Body.String(), "Unexpected HTML tag in response body.") |
| 258 | }) |
| 259 | } |
nothing calls this directly
no test coverage detected