[compliance] Update goldens - 7 fewer failures! (#526)
diff --git a/pkgs/_shelf_compliance/reports/shelf/Compliance.json b/pkgs/_shelf_compliance/reports/shelf/Compliance.json
index 81b5a00..e34b54a 100644
--- a/pkgs/_shelf_compliance/reports/shelf/Compliance.json
+++ b/pkgs/_shelf_compliance/reports/shelf/Compliance.json
@@ -580,10 +580,8 @@
"rfcReference": "RFC 9112 §6.1",
"rfcLevel": "Must",
"expected": "400/501 or close",
- "verdict": "Fail",
- "statusCode": 200,
- "rawRequest": "POST / HTTP/1.1\r\nHost: 127.0.0.1:<PORT>\r\nTransfer-Encoding: gzip\r\n\r\n",
- "rawResponse": "HTTP/1.1 200 OK\r\nx-powered-by: Dart with package:shelf\r\ntransfer-encoding: chunked\r\ndate: <DATE>\r\nx-frame-options: SAMEORIGIN\r\ncontent-type: text/plain; charset=utf-8\r\nx-xss-protection: 1; mode=block\r\nx-content-type-options: nosniff\r\n\r\n0\r\n\r\n"
+ "verdict": "Pass",
+ "rawRequest": "POST / HTTP/1.1\r\nHost: 127.0.0.1:<PORT>\r\nTransfer-Encoding: gzip\r\n\r\n"
},
{
"id": "COMP-VERSION-CASE",
diff --git a/pkgs/_shelf_compliance/reports/shelf/Smuggling.json b/pkgs/_shelf_compliance/reports/shelf/Smuggling.json
index 11e61f6..38e73d2 100644
--- a/pkgs/_shelf_compliance/reports/shelf/Smuggling.json
+++ b/pkgs/_shelf_compliance/reports/shelf/Smuggling.json
@@ -215,11 +215,8 @@
"rfcReference": "RFC 9112 §7",
"rfcLevel": "Must",
"expected": "400 or 2xx",
- "verdict": "Warn",
- "statusCode": 200,
- "rawRequest": "POST / HTTP/1.1\r\nHost: 127.0.0.1:<PORT>\r\nTransfer-Encoding: chunked;ext=val\r\nContent-Length: 5\r\n\r\nhello",
- "rawResponse": "HTTP/1.1 200 OK\r\nx-powered-by: Dart with package:shelf\r\ntransfer-encoding: chunked\r\ndate: <DATE>\r\nx-frame-options: SAMEORIGIN\r\ncontent-type: text/plain; charset=utf-8\r\nx-xss-protection: 1; mode=block\r\nx-content-type-options: nosniff\r\n\r\n0\r\n\r\n",
- "behavioralNote": "Body: 0"
+ "verdict": "Pass",
+ "rawRequest": "POST / HTTP/1.1\r\nHost: 127.0.0.1:<PORT>\r\nTransfer-Encoding: chunked;ext=val\r\nContent-Length: 5\r\n\r\nhello"
},
{
"id": "SMUG-CL-COMMA-DIFFERENT",
@@ -490,11 +487,9 @@
"rfcReference": "RFC 9112 §6.1",
"rfcLevel": "Must",
"expected": "400, or close (no extra response)",
- "verdict": "Fail",
- "statusCode": 200,
+ "verdict": "Pass",
"rawRequest": "── Poison POST with embedded GET (TE: , chunked) ──\nPOST / HTTP/1.1\r\nHost: 127.0.0.1:<PORT>\r\nContent-Length: 46\r\nTransfer-Encoding: , chunked\r\n\r\n0\r\n\r\nGET / HTTP/1.1\r\nHost: 127.0.0.1:<PORT>\r\n\r\n",
- "rawResponse": "── Poison POST with embedded GET (TE: , chunked) ──\nHTTP/1.1 200 OK\r\nx-powered-by: Dart with package:shelf\r\ntransfer-encoding: chunked\r\ndate: <DATE>\r\nx-frame-options: SAMEORIGIN\r\ncontent-type: text/plain; charset=utf-8\r\nx-xss-protection: 1; mode=block\r\nx-content-type-options: nosniff\r\n\r\n0\r\n\r\nHTTP/1.1 200 OK\r\nx-powered-by: Dart with package:shelf\r\ndate: <DATE>\r\ncontent-length: 2\r\nx-frame-options: SAMEORIGIN\r\ncontent-type: text/plain; charset=utf-8\r\nx-xss-protection: 1; mode=block\r\nx-content-type-options: nosniff\r\n\r\nOK",
- "behavioralNote": "MULTIPLE RESPONSES: observed 2 HTTP status lines (embedded GET likely executed)"
+ "behavioralNote": "Connection closed — safe"
},
{
"id": "SMUG-CLTE-SMUGGLED-GET-TE-OBS-FOLD",
@@ -717,11 +712,9 @@
"rfcReference": "RFC 9112 §6.1",
"rfcLevel": "Must",
"expected": "400, or close (no extra response)",
- "verdict": "Fail",
- "statusCode": 200,
+ "verdict": "Pass",
"rawRequest": "── Poison POST with duplicate TE + embedded GET ──\nPOST / HTTP/1.1\r\nHost: 127.0.0.1:<PORT>\r\nTransfer-Encoding: chunked\r\nTransfer-Encoding: identity\r\nContent-Length: 46\r\n\r\n0\r\n\r\nGET / HTTP/1.1\r\nHost: 127.0.0.1:<PORT>\r\n\r\n",
- "rawResponse": "── Poison POST with duplicate TE + embedded GET ──\nHTTP/1.1 200 OK\r\nx-powered-by: Dart with package:shelf\r\ntransfer-encoding: chunked\r\ndate: <DATE>\r\nx-frame-options: SAMEORIGIN\r\ncontent-type: text/plain; charset=utf-8\r\nx-xss-protection: 1; mode=block\r\nx-content-type-options: nosniff\r\n\r\n0\r\n\r\nHTTP/1.1 200 OK\r\nx-powered-by: Dart with package:shelf\r\ndate: <DATE>\r\ncontent-length: 2\r\nx-frame-options: SAMEORIGIN\r\ncontent-type: text/plain; charset=utf-8\r\nx-xss-protection: 1; mode=block\r\nx-content-type-options: nosniff\r\n\r\nOK",
- "behavioralNote": "MULTIPLE RESPONSES: observed 2 HTTP status lines (embedded GET likely executed)"
+ "behavioralNote": "Connection closed — safe"
},
{
"id": "SMUG-TE-EMPTY-VALUE",
@@ -730,11 +723,8 @@
"rfcReference": "RFC 9112 §6.1",
"rfcLevel": "Must",
"expected": "400 or close",
- "verdict": "Fail",
- "statusCode": 200,
- "rawRequest": "POST / HTTP/1.1\r\nHost: 127.0.0.1:<PORT>\r\nTransfer-Encoding: \r\nContent-Length: 5\r\n\r\nhello",
- "rawResponse": "HTTP/1.1 200 OK\r\nx-powered-by: Dart with package:shelf\r\ntransfer-encoding: chunked\r\ndate: <DATE>\r\nx-frame-options: SAMEORIGIN\r\ncontent-type: text/plain; charset=utf-8\r\nx-xss-protection: 1; mode=block\r\nx-content-type-options: nosniff\r\n\r\n0\r\n\r\n",
- "behavioralNote": "Body: 0"
+ "verdict": "Pass",
+ "rawRequest": "POST / HTTP/1.1\r\nHost: 127.0.0.1:<PORT>\r\nTransfer-Encoding: \r\nContent-Length: 5\r\n\r\nhello"
},
{
"id": "SMUG-TE-FORMFEED",
@@ -763,11 +753,8 @@
"rfcReference": "RFC 9112 §7",
"rfcLevel": "Must",
"expected": "400/501 or close",
- "verdict": "Fail",
- "statusCode": 200,
- "rawRequest": "POST / HTTP/1.1\r\nHost: 127.0.0.1:<PORT>\r\nTransfer-Encoding: identity\r\nContent-Length: 5\r\n\r\nhello",
- "rawResponse": "HTTP/1.1 200 OK\r\nx-powered-by: Dart with package:shelf\r\ntransfer-encoding: chunked\r\ndate: <DATE>\r\nx-frame-options: SAMEORIGIN\r\ncontent-type: text/plain; charset=utf-8\r\nx-xss-protection: 1; mode=block\r\nx-content-type-options: nosniff\r\n\r\n0\r\n\r\n",
- "behavioralNote": "Body: 0"
+ "verdict": "Pass",
+ "rawRequest": "POST / HTTP/1.1\r\nHost: 127.0.0.1:<PORT>\r\nTransfer-Encoding: identity\r\nContent-Length: 5\r\n\r\nhello"
},
{
"id": "SMUG-TE-LEADING-COMMA",
@@ -786,10 +773,8 @@
"rfcReference": "RFC 9112 §6.3",
"rfcLevel": "Must",
"expected": "400 or close",
- "verdict": "Fail",
- "statusCode": 200,
- "rawRequest": "POST / HTTP/1.1\r\nHost: 127.0.0.1:<PORT>\r\nTransfer-Encoding: chunked, gzip\r\n\r\n0\r\n\r\n",
- "rawResponse": "HTTP/1.1 200 OK\r\nx-powered-by: Dart with package:shelf\r\ntransfer-encoding: chunked\r\ndate: <DATE>\r\nx-frame-options: SAMEORIGIN\r\ncontent-type: text/plain; charset=utf-8\r\nx-xss-protection: 1; mode=block\r\nx-content-type-options: nosniff\r\n\r\n0\r\n\r\n"
+ "verdict": "Pass",
+ "rawRequest": "POST / HTTP/1.1\r\nHost: 127.0.0.1:<PORT>\r\nTransfer-Encoding: chunked, gzip\r\n\r\n0\r\n\r\n"
},
{
"id": "SMUG-TE-NULL",
@@ -868,11 +853,8 @@
"rfcReference": "RFC 9112 §6.1",
"rfcLevel": "Must",
"expected": "400/501 or close",
- "verdict": "Fail",
- "statusCode": 200,
- "rawRequest": "POST / HTTP/1.1\r\nHost: 127.0.0.1:<PORT>\r\nTransfer-Encoding: xchunked\r\nContent-Length: 5\r\n\r\nhello",
- "rawResponse": "HTTP/1.1 200 OK\r\nx-powered-by: Dart with package:shelf\r\ntransfer-encoding: chunked\r\ndate: <DATE>\r\nx-frame-options: SAMEORIGIN\r\ncontent-type: text/plain; charset=utf-8\r\nx-xss-protection: 1; mode=block\r\nx-content-type-options: nosniff\r\n\r\n0\r\n\r\n",
- "behavioralNote": "Body: 0"
+ "verdict": "Pass",
+ "rawRequest": "POST / HTTP/1.1\r\nHost: 127.0.0.1:<PORT>\r\nTransfer-Encoding: xchunked\r\nContent-Length: 5\r\n\r\nhello"
},
{
"id": "SMUG-TECL-CONN-CLOSE",
diff --git a/pkgs/_shelf_compliance/shelf_summary.md b/pkgs/_shelf_compliance/shelf_summary.md
index 9ae8f0a..c5235a9 100644
--- a/pkgs/_shelf_compliance/shelf_summary.md
+++ b/pkgs/_shelf_compliance/shelf_summary.md
@@ -3,9 +3,9 @@
| Category | Count |
| --- | --- |
| Total | 215 |
-| Passed | 101 |
-| Failed | 56 |
-| Warnings | 58 |
+| Passed | 109 |
+| Failed | 49 |
+| Warnings | 57 |
| Errors | 0 |
## Failed or Warning Results
@@ -45,7 +45,6 @@
| COMP-TRACE-SENSITIVE | Compliance | Fail | TRACE should exclude sensitive headers from echoed response |
| COMP-TRACE-WITH-BODY | Compliance | Fail | TRACE with Content-Length body should be rejected |
| COMP-UNKNOWN-METHOD | Compliance | Fail | Unrecognized method should be rejected with 501 or 405 |
-| COMP-UNKNOWN-TE-501 | Compliance | Fail | Unknown Transfer-Encoding without CL should be rejected with 501 |
| COMP-VERSION-CASE | Compliance | Warn | HTTP version is case-sensitive — lowercase 'http' must be rejected |
| COMP-VERSION-LEADING-ZEROS | Compliance | Warn | HTTP/01.01 — leading zeros in version digits are invalid |
| COMP-VERSION-MISSING-MINOR | Compliance | Warn | HTTP/1 with no minor version digit is invalid |
@@ -87,7 +86,6 @@
| SMUG-CHUNK-LF-TRAILER | Smuggling | Warn | Bare LF in chunked trailer termination — server MAY accept bare LF per RFC 9112 §2.2 |
| SMUG-CHUNK-MISSING-TRAILING-CRLF | Smuggling | Fail | Chunk data without trailing CRLF must be rejected |
| SMUG-CHUNK-SPILL | Smuggling | Fail | Chunk declares size 5 but sends 7 bytes — oversized chunk data must be rejected |
-| SMUG-CHUNKED-WITH-PARAMS | Smuggling | Warn | Transfer-Encoding: chunked;ext=val — parameters on chunked encoding |
| SMUG-CL-DOUBLE-ZERO | Smuggling | Warn | Content-Length: 00 — matches 1*DIGIT but leading zero ambiguity |
| SMUG-CL-EXTRA-LEADING-SP | Smuggling | Warn | Content-Length with extra leading whitespace (double space OWS) |
| SMUG-CL-LEADING-ZEROS | Smuggling | Warn | Content-Length with leading zeros — valid per 1*DIGIT grammar but may cause parser disagreement |
@@ -100,7 +98,6 @@
| SMUG-CLTE-PIPELINE | Smuggling | Warn | CL.TE conflict — both Content-Length and Transfer-Encoding: chunked present |
| SMUG-CLTE-SMUGGLED-GET | Smuggling | Fail | CL.TE desync — embedded GET in body; multiple responses indicate request boundary confusion |
| SMUG-CLTE-SMUGGLED-GET-TE-CASE-MISMATCH | Smuggling | Fail | CL.TE desync with TE case mismatch — multiple responses indicate request boundary confusion |
-| SMUG-CLTE-SMUGGLED-GET-TE-LEADING-COMMA | Smuggling | Fail | CL.TE desync with TE leading comma — multiple responses indicate request boundary confusion |
| SMUG-CLTE-SMUGGLED-GET-TE-OBS-FOLD | Smuggling | Fail | CL.TE desync with obs-folded Transfer-Encoding — multiple responses indicate request boundary confusion |
| SMUG-CLTE-SMUGGLED-GET-TE-TRAILING-SPACE | Smuggling | Fail | CL.TE desync with TE trailing space — multiple responses indicate request boundary confusion |
| SMUG-CLTE-SMUGGLED-HEAD | Smuggling | Fail | CL.TE desync — embedded HEAD in body; multiple responses indicate request boundary confusion |
@@ -110,11 +107,6 @@
| SMUG-MULTIPLE-HOST-COMMA | Smuggling | Fail | Host header with comma-separated values must be rejected |
| SMUG-OPTIONS-CL-BODY | Smuggling | Fail | OPTIONS with Content-Length and body — server should consume or reject body |
| SMUG-OPTIONS-CL-BODY-DESYNC | Smuggling | Fail | OPTIONS with Content-Length body followed by a second request — detects unread-body desync |
-| SMUG-TE-DUPLICATE-HEADERS-SMUGGLED-GET | Smuggling | Fail | TE.TE + CL ambiguity with embedded GET — multiple responses indicate request boundary confusion |
-| SMUG-TE-EMPTY-VALUE | Smuggling | Fail | Transfer-Encoding with empty value must be rejected |
-| SMUG-TE-IDENTITY | Smuggling | Fail | Transfer-Encoding: identity (deprecated) with CL must be rejected |
-| SMUG-TE-NOT-FINAL-CHUNKED | Smuggling | Fail | Transfer-Encoding where chunked is not final — server MUST respond with 400 (RFC 9112 §6.3) |
-| SMUG-TE-XCHUNKED | Smuggling | Fail | Transfer-Encoding: xchunked must not be treated as chunked |
| SMUG-TECL-CONN-CLOSE | Smuggling | Fail | TE+CL conflict (reversed order) — server MUST close connection after responding |
| SMUG-TECL-DESYNC | Smuggling | Fail | TE.CL desync — chunked terminator before CL boundary, leftover bytes smuggled |
| SMUG-TECL-PIPELINE | Smuggling | Warn | TE.CL conflict — Transfer-Encoding: chunked + conflicting Content-Length |
