Skip to content

fix: add HTTP parse error counter and surface in summary (#17)#27

Merged
Zious11 merged 8 commits intodevelopfrom
worktree-http-parse-errors
Apr 7, 2026
Merged

fix: add HTTP parse error counter and surface in summary (#17)#27
Zious11 merged 8 commits intodevelopfrom
worktree-http-parse-errors

Conversation

@Zious11
Copy link
Copy Markdown
Owner

@Zious11 Zious11 commented Apr 7, 2026

Summary

  • Change parse_one_request/parse_one_response return type from Result<_, ()> to Result<_, httparse::Error> to preserve error variant information
  • Add aggregate parse_errors: u64 counter to HttpAnalyzer, surfaced in summarize() output
  • Generate a Finding for httparse::Error::TooManyHeaders (Anomaly, Inconclusive, Medium confidence, MITRE T1499.002 — Service Exhaustion Flood)
  • Other httparse error variants increment counter only (malformed traffic, not specific attacks)

Closes #17

Test plan

  • test_parse_error_increments_counter — malformed request increments counter, no finding generated
  • test_parse_error_in_summarize — counter appears in summarize() detail map
  • test_too_many_headers_generates_finding — 97-header request triggers finding with correct fields
  • test_too_many_headers_in_response_generates_finding — response path finding with "response" evidence
  • test_parse_error_in_response — malformed response increments counter, no finding
  • test_parse_error_clears_buffer_and_continues — buffer cleared on error, subsequent valid request parses
  • test_multiple_parse_errors_accumulate — counter correctly accumulates across multiple errors
  • test_normal_request_no_parse_errors — valid request: zero errors, no findings
  • All 22 http_analyzer_tests pass, 97 total tests pass
  • clippy clean, fmt clean

Zious11 added 7 commits April 6, 2026 23:15
@Zious11
docs: add design spec for HTTP parse error counter (#17)
623b2ce 
Covers return type change, aggregate counter, summarize() output,
TooManyHeaders finding (T1499.002), and test plan.
@Zious11
docs: add implementation plan for HTTP parse error counter (#17)
50caf62 
4 tasks: return type change, error handling + finding, summarize output,
comprehensive test suite (6 new tests).
@Zious11
refactor: change parse helpers to return httparse::Error, add parse_e…
20c4e72 
…rrors counter
@Zious11
feat: increment parse_errors counter and generate TooManyHeaders finding
3df662c
@Zious11
feat: surface parse_errors in summarize() output
08af03c
@Zious11
test: add parse error counter, TooManyHeaders finding, and recovery t…
f6fb7e9 
…ests
@Zious11
test: strengthen assertions from PR review findings
c50893f 
- Add no-finding assertions to Token error tests (request + response)
- Add TooManyHeaders test for response path (validates evidence string)
- Add multi-error accumulation test (verifies counter > 1)
@Zious11 Zious11 requested a review from Copilot April 7, 2026 04:34
Copilot AI reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances the HTTP stream analyzer to preserve httparse::Error variants, track an aggregate parse-error counter, and surface that counter in summarize(), with a specific security Finding emitted for TooManyHeaders (DoS/header-flood signal).

Changes:

  • Change parse_one_request / parse_one_response to return Result<_, httparse::Error> instead of collapsing errors to ().
  • Add parse_errors: u64 to HttpAnalyzer, expose it via parse_error_count(), and include it in summarize() detail output.
  • Generate an Anomaly finding for httparse::Error::TooManyHeaders; add tests covering counter behavior and the finding.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
src/analyzer/http.rs Preserve httparse::Error, increment/emit parse-error signals, and surface parse_errors in summary output.
tests/http_analyzer_tests.rs Add targeted tests for parse-error counting, summary surfacing, TooManyHeaders finding, and recovery behavior.
docs/superpowers/specs/2026-04-06-http-parse-error-design.md Spec describing the intended behavior and rationale for parse error handling.
docs/superpowers/plans/2026-04-06-http-parse-error.md Implementation plan/checklist for the change set.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/analyzer/http.rs Outdated
Comment thread src/analyzer/http.rs Outdated
@Zious11
fix: suppress body-byte false positives in parse error counter
b8e634f 
After a successful header parse, remaining body bytes would be re-parsed
as HTTP and inflate parse_errors on normal traffic. Add had_success flag
to suppress counting errors that follow a successful parse in the same
call (body-byte-induced). Update spec with design decision.
@Zious11 Zious11 merged commit 171413f into develop Apr 7, 2026
4 checks passed
@Zious11 Zious11 deleted the worktree-http-parse-errors branch April 7, 2026 04:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix: add HTTP parse error counter and surface in summary

2 participants

@Zious11