Boost logo

Boost :

Subject: Re: [boost] [beast] Security
From: Vinnie Falco (vinnie.falco_at_[hidden])
Date: 2017-07-03 16:47:10


On Mon, Jul 3, 2017 at 9:42 AM, Phil Endecott via Boost
<boost_at_[hidden]> wrote:
> Has it been reviewed by anyone with specific experience of how
> HTTP can be attacked? Has it been "fuzzed"?

I would love for someone to do a security audit and in the absence of
a volunteer I will likely take on the expense myself.

That said, I have made the tests quite extensive. 100% code coverage
is always an ongoing goal. All branches which handle failure are
checked, and there is a concept called "bufgrind" where all possible
2-buffer combinations of inputs are tested. This means for a message
of size N it is split up into two buffers x and N-x and fed to the
parser. You can see that stuff here:

https://github.com/vinniefalco/Beast/blob/78a065ba39836d91d7e70d93de7f9140f518083b/test/http/basic_parser.cpp#L1057

https://github.com/vinniefalco/Beast/blob/78a065ba39836d91d7e70d93de7f9140f518083b/test/http/basic_parser.cpp#L386

https://github.com/vinniefalco/Beast/blob/78a065ba39836d91d7e70d93de7f9140f518083b/test/http/basic_parser.cpp#L220

You can see that coverage is extremely high:

https://codecov.io/gh/vinniefalco/Beast/src/review/include/beast/http/impl/basic_parser.ipp

Note that the review branch is missing some tests which I have since
added, so actual coverage is higher than what is displayed here.


Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk