Skip to content

Fix flaky filter_body autest for request blocking #12876

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bryancall wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix flaky filter_body autest for request blocking #12876

bryancall wants to merge 1 commit into from
+11 −7

Conversation

@bryancall
Copy link
Contributor

@bryancall bryancall commented Feb 11, 2026

Summary

  • Remove the proxy-response: status: 502 assertion from the request-block test because the response status is inherently racy -- the origin may respond before ATS acts on the block
  • Update the test comment to explain why no status assertion is made
  • Plugin correctness is still verified via diags.log checks that confirm the rule matched and blocking action was taken

Details

Request body transforms run after headers are sent to the origin. By the time the body is inspected and the plugin decides to block, the origin may have already responded. The client can see a 502, a closed connection, or the origin's 200 response depending on timing.

The diags.log validations already verify:

  • The block rule matched (Matched rule: xxe_request_block)
  • The blocking action was taken (Blocking request due to rule)

These are the meaningful checks -- the HTTP status code to the client is a side effect of the race.

Fixes #12875

@bryancall
Fix flaky filter_body autest for request blocking
9461489 
The request-block test asserted proxy-response status 502, but this is
inherently racy. Request body transforms run after headers are sent to
the origin, so the origin may respond before ATS acts on the block. The
client can see a 502, a closed connection, or the origin's 200 response
depending on timing.

Remove the proxy-response status assertion and rely on the diags.log
checks which verify the plugin correctly matched the rule and took the
blocking action.

Fixes apache#12875
@bryancall bryancall self-assigned this Feb 11, 2026
@bryancall bryancall modified the milestones: 10.2.0, 11.0.0 Feb 11, 2026
bneradt
bneradt requested changes Feb 11, 2026
View reviewed changes
tests/gold_tests/pluginTest/filter_body/filter_body.replay.yaml
Comment on lines 168 to 202
@@ -194,8 +198,8 @@ sessions:
content:
data: "OK"

proxy-response:
status: 502
# Note: proxy-response status is not checked because request body
# blocking is inherently racy. See comment above.
Copy link
Contributor

@bneradt bneradt Feb 11, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But, isn't ATS supposed to be dropping this connection before the request body is sent? I'm pretty sure Proxy Verifier server will await the 49 bytes before sending a response.

If this test fails sometimes, I'm concerned that the block functionality of the plugin itself is flakey, not the test.

@bneradt
Copy link
Contributor

bneradt commented Feb 11, 2026
edited
Loading

The diags.log validations already verify:

  • The block rule matched (Matched rule: xxe_request_block)
  • The blocking action was taken (Blocking request due to rule)

These are the meaningful checks -- the HTTP status code to the client is a side effect of the race.

I disagree, Claude. The meaningful check is whether the body got blocked or whether it incorrectly leaked to the origin. Logs are nice for identifying offensive traffic, but if the body gets to the origin, but our logs say we blocked it, users will be pretty unhappy. If the offensive body triggers a crash on the origin, or remote executes code, for example, but ATS said it blocked it when it didn't, no one is going to be happy with ATS's behavior.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bneradt bneradt bneradt requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@bryancall bryancall

Labels

filter_body

Projects

ATS v10.2.x
Status: No status

Milestone

11.0.0

Development

Successfully merging this pull request may close these issues.

filter_body autest fails in CI sometimes: request not blocked

2 participants

@bryancall @bneradt