Benchmark maliciously long ACRH header

rs · Mar 27, 2024 · ad0e722 · ad0e722
1 parent 8d33ca4
commit ad0e722
Showing 1 changed file with 29 additions and 0 deletions.
diff --git a/bench_test.go b/bench_test.go
@@ -1,7 +1,9 @@
 package cors
 
 import (
+	"math"
 	"net/http"
+	"strings"
 	"testing"
 )
 
@@ -97,6 +99,21 @@ func BenchmarkPreflightHeader(b *testing.B) {
 	}
 }
 
+func BenchmarkPreflightAdversarialACRH(b *testing.B) {
+	resps := makeFakeResponses(b.N)
+	req, _ := http.NewRequest(http.MethodOptions, dummyEndpoint, nil)
+	req.Header.Add(headerOrigin, dummyOrigin)
+	req.Header.Add(headerACRM, http.MethodGet)
+	req.Header[headerACRH] = adversarialACRH
+	handler := Default().Handler(testHandler)
+
+	b.ReportAllocs()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		handler.ServeHTTP(resps[i], req)
+	}
+}
+
 func makeFakeResponses(n int) []*FakeResponse {
 	resps := make([]*FakeResponse, n)
 	for i := 0; i < n; i++ {
@@ -106,3 +123,15 @@ func makeFakeResponses(n int) []*FakeResponse {
 	}
 	return resps
 }
+
+var adversarialACRH []string
+
+func init() { // populates adversarialACRH
+	n := int(math.Floor(math.Sqrt(http.DefaultMaxHeaderBytes)))
+	commas := strings.Repeat(",", n)
+	res := make([]string, n)
+	for i := range res {
+		res[i] = commas
+	}
+	adversarialACRH = res
+}