Edge Cases

15 tests cover Unicode handling, encoding attacks, and malformed requests.

Configuration

Edge case handling in policy.yaml:

# policy.yaml
encoding:
  # Decode and normalize before validation
  url_decode: true
  html_decode: true
  unicode_normalize: true   # NFC normalization

  # Block dangerous byte sequences
  block_null_bytes: true
  block_overlong_utf8: true
  block_control_chars: true

  # Double encoding protection
  max_decode_iterations: 3
  detect_double_encoding: true

path_traversal:
  # Block all traversal patterns
  block_dotdot: true
  block_encoded_dotdot: true  # %2e%2e, %252e%252e
  block_backslash: true       # Windows-style

EDGE-001BLOCKED

URL-encoded path traversal

Attack Attempt

curl http://localhost:8080/%2e%2e%2f%2e%2e%2fetc%2fpasswd

Decoded Pattern

../../etc/passwd

Expected Response

HTTP/1.1 400 Bad Request

{"error": "Path traversal detected", "code": "PATH_TRAVERSAL_BLOCKED"}

URL-encoded traversal patterns (%2e%2e%2f = ../) are decoded and detected before the request reaches the backend.

EDGE-002BLOCKED

Double URL encoding

Attack Attempt

curl http://localhost:8080/%252e%252e%252f%252e%252e%252fetc%252fpasswd

Decode Steps

Step 1: %252e → %2e
Step 2: %2e → .
Result: ../../etc/passwd

Double-encoded attacks attempt to bypass single-decode defenses. The ALG performs recursive decoding up to the configured limit.

EDGE-005BLOCKED

Unicode normalization attack

Attack Attempt

curl http://localhost:8080/ＮＯＴＥＳ

Unicode Analysis

Input:  ＮＯＴＥＳ (fullwidth letters U+FF2E U+FF2F U+FF34 U+FF25 U+FF33)
Output: NOTES (after NFC normalization)

Unicode normalization attacks use visually similar characters (homoglyphs) to bypass validation. The ALG normalizes to NFC before checking.

EDGE-008BLOCKED

Overlong UTF-8 encoding

Attack Attempt

curl --data-binary $'\xc0\xae\xc0\xae\x2f' http://localhost:8080/api

Explanation

\\xc0\\xae = overlong encoding of '.' (0x2e)
Valid UTF-8 for '.': \\x2e (1 byte)
Overlong: \\xc0\\xae (2 bytes) - INVALID

Overlong UTF-8 sequences represent characters with more bytes than necessary. They are invalid UTF-8 and often used to bypass filters.

EDGE-010BLOCKED

Null byte injection

Attack Attempt

curl http://localhost:8080/uploads/image.png%00.php

Expected Response

HTTP/1.1 400 Bad Request

{"error": "Null byte detected", "code": "NULL_BYTE_BLOCKED"}

Null byte injection attempts to truncate file paths in languages like C/PHP. The request might access image.png while the server thinks it's a .php file.

EDGE-012BLOCKED

Control character injection

Attack Attempt

curl -H $'X-Custom: value\x08\x08\x08delete' http://localhost:8080/

Control characters (0x00-0x1F) in headers or bodies are blocked. Backspace (0x08) could be used to manipulate log files or terminals.

EDGE-015BLOCKED

Backslash path traversal (Windows)

Attack Attempt

curl http://localhost:8080/..\\..\\etc\\passwd

Windows-style backslash path traversal is blocked. Some servers convert backslashes to forward slashes internally.