aboutsummaryrefslogtreecommitdiffstats
path: root/test
AgeCommit message (Collapse)Author
2019-10-02Fix HTTP/2 CVEsLoïc Hoguin
A number of HTTP/2 CVEs were documented recently: https://www.kb.cert.org/vuls/id/605641/ This commit, along with a few changes and additions in Cowlib, fix or improve protection against all of them. For CVE-2019-9511, also known as Data Dribble, the new option stream_window_data_threshold can be used to control how little the DATA frames that Cowboy sends can get. For CVE-2019-9516, also known as 0-Length Headers Leak, Cowboy will now simply reject streams containing 0-length header names. For CVE-2019-9517, also known as Internal Data Buffering, the backpressure changes were already pretty good at preventing this issue, but a new option max_connection_buffer_size was added for even better control over how much memory we are willing to allocate. For CVE-2019-9512, also known as Ping Flood; CVE-2019-9515, also known as Settings Flood; CVE-2019-9518, also known as Empty Frame Flooding; and similar undocumented scenarios, a frame rate limiting mechanism was added. By default Cowboy will now allow 1000 frames every 10 seconds. This can be configured via max_received_frame_rate. For CVE-2019-9514, also known as Reset Flood, another rate limiting mechanism was added and can be configured via max_reset_stream_rate. By default Cowboy will do up to 10 stream resets every 10 seconds. Finally, nothing was done for CVE-2019-9513, also known as Resource Loop, because Cowboy does not currently implement the HTTP/2 priority mechanism (in parts because these issues were well known from the start). Tests were added for all cases except Internal Data Buffering, which I'm not sure how to test, and Resource Loop, which is not currently relevant.
2019-10-02Update gun_down messages in test suitesLoïc Hoguin
2019-09-28Add persistent_term support to the routerLoïc Hoguin
2019-09-16Fix closing of connection on response_body_too_smallLoïc Hoguin
2019-09-15Split up urlencoded tests to speed up req_SUITELoïc Hoguin
2019-09-15Skip req_SUITE:read_body_mtu on WindowsLoïc Hoguin
On Windows the loopback MTU seems to be set to 0xFFFFFFFF (basically no limit) which makes the test irrelevant.
2019-09-15Increase the period for req_SUITE:read_body_periodLoïc Hoguin
This should increase the likelihood of the test succeeding on slower systems when run over TLS.
2019-09-15Fix h2spec_SUITE init_per_suite return valuesLoïc Hoguin
2019-09-15Fix intermittent failures in sys_SUITELoïc Hoguin
2019-09-14Implement backpressure on cowboy_req:stream_bodyLoïc Hoguin
This should limit the amount of memory that Cowboy is using when a handler is sending data much faster than the network. The new max_stream_buffer_size is a soft limit and only has an effect when the cowboy_stream_h handler is used.
2019-09-07Improve the cowboy_static consistency across platformsLoïc Hoguin
As a result we explictly reject path_info components that include a forward slash, backward slash or NUL character. This only applies to the [...] part of the path for dir/priv_dir configuration. Also improve the tests so that they work on Windows.
2019-09-06Fix tests failing following Gun update to masterLoïc Hoguin
2019-09-06Rename Gun's transport_opts to tls_optsLoïc Hoguin
2019-09-06Correct tests modifying mtime of static filesLoïc Hoguin
On macOS this resulted in failure because the mtime did not change between test groups. The mtime should now always change.
2019-09-06Fix using custom fields in ReqLoïc Hoguin
2019-09-05Fix and optimize sending of WINDOW_UPDATE framesLoïc Hoguin
For long-running connections it was possible for the connection window to become larger than allowed by the protocol because the window increases claimed by stream handlers were never reclaimed even if no data was consumed. The new code applies heuristics to fix this and reduce the number of WINDOW_UPDATE frames that are sent. It includes six new options to control that behavior: margin, max and threshold for both the connection and stream windows. The margin is some extra space added on top of the requested read size. The max is the maximum window size at any given time. The threshold is a minimum window size that must be reached before we even consider sending more WINDOW_UPDATE frames. We also avoid sending WINDOW_UPDATE frames when there is already enough space in the window, or when the read size is 0. Cowlib is set to master until a new tag is done.
2019-07-26Add a zero-length DATA frame in the lingering_data testTony Han
2019-07-16Data received after RST_STREAM counts toward windowTony Han
2019-04-01Fallback to host header if authority is missingFredrik Enestad
2019-04-01Add a cowboy_static test with an uppercase filename/extensionLoïc Hoguin
2019-03-10Don't error out when h2spec can't be compiledLoïc Hoguin
2018-11-22Improve the reliability of some http_SUITE testsLoïc Hoguin
2018-11-22Fix compress buffering tests before OTP 20.1Loïc Hoguin
2018-11-22Move the final old HTTP suite tests and remove itLoïc Hoguin
2018-11-21Move many old HTTP test cases to the rest_handler test suiteLoïc Hoguin
A bug was fixed in cowboy_rest where when content_types_provided returned a media type with a wildcard as first in the list, and a request comes in without an accept header, then the media_type value in the Req object would contain '*' instead of [] for the parameters.
2018-11-21Move a old HTTP test cases to new plain_handler test suiteLoïc Hoguin
2018-11-21Rename sec_SUITE to security_SUITELoïc Hoguin
2018-11-21Move one more old HTTP test caseLoïc Hoguin
2018-11-21Move some more tests out of the old HTTP test suiteLoïc Hoguin
2018-11-21Create a security test suite based on old HTTP test casesLoïc Hoguin
2018-11-21Move another test from the old HTTP test suiteLoïc Hoguin
2018-11-21Move some tests out of the old HTTP test suiteLoïc Hoguin
And additional minor tweaks.
2018-11-20Move HTTP/1.0 tests from the old test suite to rfc7230Loïc Hoguin
2018-11-20Silence expected warnings for messages from unknown processesLoïc Hoguin
2018-11-20Silence the expected set_env_missing errorLoïc Hoguin
2018-11-20Increase a few more timeouts to reduce intermittent failuresLoïc Hoguin
2018-11-20Fix the request_timeout_infinity testLoïc Hoguin
Wrong option was being tested.
2018-11-20Don't run long test suites by defaultLoïc Hoguin
The examples test suite is only useful once in a while in order to know whether examples were broken, for example before issuing a release. The new ws_autobahn test suite isolates the autobahn test suite so that it can be ignored by default. It's only useful to run it when working on the Websocket code or before issuing a release.
2018-11-20Handle a test case sometimes sending a response too fastLoïc Hoguin
2018-11-20Wait for the connection to be up in a few testsLoïc Hoguin
2018-11-20Increase a test timeout to get rid of intermittent failuresLoïc Hoguin
2018-11-19Fix case insensitive filesystems in static_handler test suiteLoïc Hoguin
2018-11-19Silence expected errors from the stream_handler test suite2.6.0Loïc Hoguin
2018-11-19Add an additional test to the static test suiteLoïc Hoguin
2018-11-19Silence expected errors from the static_handler test suiteLoïc Hoguin
2018-11-19Use try..after in tests that start their own listenersLoïc Hoguin
2018-11-19Use ?FUNCTION_NAME instead of ct_helper:name()Loïc Hoguin
Cowboy is 19+ so it's OK to use it.
2018-11-18Add the chunked option for HTTP/1.1Loïc Hoguin
It allows disabling the chunked transfer-encoding. It can also be disabled on a per-request basis, although it will be ignored for responses that are not streamed.
2018-11-16Add the idle_timeout option to HTTP/2Loïc Hoguin
2018-11-16Add the set_options Websocket commandLoïc Hoguin
It allows overriding the idle_timeout option only for now.