(t *testing.T)
| 218 | } |
| 219 | |
| 220 | func TestAtomicLevelServeHTTPBadLevel(t *testing.T) { |
| 221 | srv := httptest.NewServer(zap.NewAtomicLevel()) |
| 222 | defer srv.Close() |
| 223 | |
| 224 | req, err := http.NewRequest(http.MethodPut, srv.URL, strings.NewReader(`{"level":"<script>alert(\"malicious\")</script>"}`)) |
| 225 | require.NoError(t, err, "Error constructing request.") |
| 226 | |
| 227 | res, err := http.DefaultClient.Do(req) |
| 228 | require.NoError(t, err, "Error making request.") |
| 229 | defer func() { |
| 230 | assert.NoError(t, res.Body.Close(), "Error closing response body.") |
| 231 | }() |
| 232 | |
| 233 | assert.Equal(t, http.StatusBadRequest, res.StatusCode, "Unexpected status code.") |
| 234 | resBody, err := io.ReadAll(res.Body) |
| 235 | require.NoError(t, err, "Error reading response body.") |
| 236 | |
| 237 | assert.Contains(t, string(resBody), "unrecognized level", "Unexpected error message.") |
| 238 | assert.NotContains(t, string(resBody), "<script>", "Unexpected error message.") |
| 239 | } |
| 240 | |
| 241 | func FuzzAtomicLevelServeHTTP(f *testing.F) { |
| 242 | f.Add(`{"level":"info"}`) |
nothing calls this directly
no test coverage detected