fix(proxy): recompute Content-Length when repeat_request replaces the body#604
fix(proxy): recompute Content-Length when repeat_request replaces the body#604Osamaali313 wants to merge 2 commits into
Conversation
… body build_raw_request only sets Content-Length when absent, so a repeat_request that replaces the body kept the original request's stale Content-Length and sent a wrong body length — truncating the modified/injected payload (which defeats parameter-tampering and injection replays). apply_modifications now drops a carried-over Content-Length (case-insensitively) on body replacement so it is recomputed, unless the caller explicitly set Content-Length in the same call. Adds tests.
Greptile SummaryThis PR fixes a bug in
Confidence Score: 4/5Safe to merge for the common case; the fix correctly handles non-empty body replacement and explicit Content-Length overrides. The fix is logically sound and the three new tests pass for the scenarios described in the PR. The only gap is the empty-body replacement path: build_raw_request skips adding Content-Length when the body string is falsy, so replacing a body with an empty string produces a raw POST with no Content-Length header at all. This is a narrow edge case and the behavior is no worse than before the PR, but it is an unverified code path. strix/tools/proxy/caido_api.py line 160 and the corresponding test file would benefit from a follow-up to handle the empty-body replacement case. Important Files Changed
Prompt To Fix All With AIFix the following 1 code review issue. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 1
tests/test_proxy_caido_api.py:14-28
**Missing test: empty-body replacement leaves no `Content-Length`**
The test suite covers the happy path (non-empty replacement) and the explicit-override path, but not the case where `modifications={"body": ""}`. `apply_modifications` will correctly drop the old `Content-Length`, but `build_raw_request` guards its recomputation with `if body and ...` (line 160 of `caido_api.py`), so an empty string is falsy and the header is never added back. The resulting raw POST request contains no `Content-Length` header at all — some servers will reject it or behave unexpectedly. A test and a fix in `build_raw_request` (changing the condition to `if body is not None and ...`) would close this gap.
Reviews (1): Last reviewed commit: "fix(proxy): recompute Content-Length whe..." | Re-trigger Greptile |
|
|
||
| def test_body_replacement_recomputes_content_length() -> None: | ||
| components = { | ||
| "method": "POST", | ||
| "headers": {"Host": "x.test", "Content-Length": "3"}, | ||
| "body": "old", | ||
| } | ||
| new_body = "this is the new and much longer body!" | ||
| result = apply_modifications(components, {"body": new_body}, "http://x.test/submit") | ||
| _conn, raw = build_raw_request( | ||
| method=result["method"], | ||
| url=result["url"], | ||
| headers=result["headers"], | ||
| body=result["body"], | ||
| ) |
There was a problem hiding this comment.
Missing test: empty-body replacement leaves no
Content-Length
The test suite covers the happy path (non-empty replacement) and the explicit-override path, but not the case where modifications={"body": ""}. apply_modifications will correctly drop the old Content-Length, but build_raw_request guards its recomputation with if body and ... (line 160 of caido_api.py), so an empty string is falsy and the header is never added back. The resulting raw POST request contains no Content-Length header at all — some servers will reject it or behave unexpectedly. A test and a fix in build_raw_request (changing the condition to if body is not None and ...) would close this gap.
Prompt To Fix With AI
This is a comment left during a code review.
Path: tests/test_proxy_caido_api.py
Line: 14-28
Comment:
**Missing test: empty-body replacement leaves no `Content-Length`**
The test suite covers the happy path (non-empty replacement) and the explicit-override path, but not the case where `modifications={"body": ""}`. `apply_modifications` will correctly drop the old `Content-Length`, but `build_raw_request` guards its recomputation with `if body and ...` (line 160 of `caido_api.py`), so an empty string is falsy and the header is never added back. The resulting raw POST request contains no `Content-Length` header at all — some servers will reject it or behave unexpectedly. A test and a fix in `build_raw_request` (changing the condition to `if body is not None and ...`) would close this gap.
How can I resolve this? If you propose a fix, please make it concise.build_raw_request only auto-adds Content-Length for a non-empty body, so replacing the body with an empty string produced a request with no Content-Length. Set it to 0 explicitly in apply_modifications (scoped to the body-replacement path, so body-less requests like GET are unaffected). Adds a test.
|
Good catch — fixed in cd415e7. An empty replacement body now gets I scoped it to the body-replacement path rather than changing |
Fixes #603
Problem
build_raw_request(strix/tools/proxy/caido_api.py) only auto-computesContent-Lengthwhen it is absent. So whenrepeat_requestreplaces the body (modifications={"body": ...}), the original request's staleContent-Lengthis carried over and sent — a server reading exactly that many bytes truncates the new body (or stalls), silently dropping the modified/injected payload. That defeats parameter-tampering / injection replays (the core use of the tool) and yields misleading negative results.Reproduction
Original body
"old"(Content-Length: 3); replacing it with a 37-byte body still sendsContent-Length: 3.Fix
In
apply_modifications, when the body is replaced, drop any carried-overContent-Length(case-insensitively) sobuild_raw_requestrecomputes it — unless the caller explicitly setContent-Lengthin the same call's header modifications (preserves deliberate length-mismatch / smuggling tests).Tests
Adds
tests/test_proxy_caido_api.py: body replacement recomputes Content-Length; explicit override preserved; no-body modification leaves it untouched. Verified RED→GREEN on the real functions (3 passed).