Edge Cases Tests

30 tests cover Unicode handling, encoding attacks, and boundary analysis.

Edge Case Protection

Encoding and Unicode handling is configured in the security settings:

# config.yaml
security:
  encoding:
    url_decode_depth: 3
    detect_double_encoding: true
    block_null_bytes: true
  unicode:
    normalize: true       # NFC normalization
    block_overlong_utf8: true
    block_control_chars: true

EDGE-001BLOCKED

Double URL encoding

Attack Attempt

curl "http://localhost:8080/users/%252e%252e%252fetc/passwd"

Decode Steps

Step 1: %252e → %2e
Step 2: %2e → .
Result: ../etc/passwd → BLOCKED

Double-encoded payloads are recursively decoded and validated.

EDGE-005BLOCKED

Unicode normalization attack

Attack Attempt

# Using fullwidth characters: ＡＤＭＩＮ

Normalization

ＡＤＭＩＮ → ADMIN (after NFC normalization)

Unicode strings are normalized to NFC before validation to prevent homograph attacks.

EDGE-010BLOCKED

Null byte injection

Attack Attempt

curl "http://localhost:8080/users?name=admin%00.json"

Expected Response

{"error": "Null byte detected", "code": "NULL_BYTE_BLOCKED"}

Null bytes in requests are detected and blocked to prevent truncation attacks.

EDGE-015BLOCKED

Overlong UTF-8 encoding

Attack Attempt

# '/' as overlong: \xc0\xaf instead of \x2f

Overlong UTF-8 sequences are invalid and are rejected to prevent bypass attacks.

EDGE-020BLOCKED

Integer overflow in parameter

Attack Attempt

curl "http://localhost:8080/users?limit=9999999999999999999999"

Expected Response

{"error": "Integer overflow", "parameter": "limit", "max": 2147483647}

Integer parameters are validated against maximum values defined in the schema.