github/podinfo
1
0
Fork 0
mirror of https://github.com/stefanprodan/podinfo.git synced 2026-05-22 01:12:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

test(echo): assert nosniff Content-Type on echo direct-response

Browse Source 
Regression test for CVE-2026-43644, mirroring the TestStoreReadHandler_ContentType
test added in #463. Verifies the echoHandler direct-response branch returns
application/octet-stream, X-Content-Type-Options: nosniff, and a restrictive CSP
so an HTML payload cannot be MIME-sniffed and executed.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Niccolò Parlanti
2026-05-16 23:47:28 +02:00
parent b65271f0d9
commit 6210e0a920
1 changed files with 28 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
pkg/api/http/echo_test.go
View File

@@ -46,3 +46,31 @@ func TestEchoHandler(t *testing.T) {
}
}
}
func TestEchoHandler_ContentType(t *testing.T) {
srv := NewMockServer()
handler := http.HandlerFunc(srv.echoHandler)
payload := "<html><script>alert(1)</script></html>"
req, err := http.NewRequest("POST", "/echo", strings.NewReader(payload))
if err != nil {
t.Fatal(err)
}
rr := httptest.NewRecorder()
handler.ServeHTTP(rr, req)
if rr.Code != http.StatusAccepted {
t.Fatalf("echo returned status %d, want %d", rr.Code, http.StatusAccepted)
}
expectedHeaders := map[string]string{
"Content-Type": "application/octet-stream",
"X-Content-Type-Options": "nosniff",
"Content-Security-Policy": "default-src 'none'",
}
for header, want := range expectedHeaders {
if got := rr.Header().Get(header); got != want {
t.Errorf("%s = %q, want %q", header, got, want)
}
}
}