Reevaluate SMUG-CLTE-PIPELINE and SMUG-TECL-PIPELINE

Author: MDA2AV

AGENTS.md

@@ -45,8 +45,6 @@ yield return new TestCase
     RfcReference = "RFC 9112 §5.1",                // Use § not "Section". Omit if no RFC applies.
     Scored = true,                                 // Default true. Set false for MAY/informational tests.
     AllowConnectionClose = false,                  // On Expected. See validation rules below.
-    FollowUpPayloadFactory = ctx => ...,           // Second request on same connection (pipeline tests).
-    RequiresConnectionReuse = false,               // True if FollowUpPayloadFactory needs same TCP connection.
     BehavioralAnalyzer = (response) => ...,        // Optional Func<HttpResponse?, string?> for analysis notes.
 };
 ```

docs/content/docs/smuggling/clte-pipeline.md

@@ -8,13 +8,14 @@ weight: 8
 |---|---|
 | **Test ID** | `SMUG-CLTE-PIPELINE` |
 | **Category** | Smuggling |
+| **Scored** | Yes |
 | **RFC** | [RFC 9112 §6.1](https://www.rfc-editor.org/rfc/rfc9112#section-6.1) |
-| **Requirement** | MUST close connection |
-| **Expected** | `400` or close |
+| **RFC Level** | MAY |
+| **Expected** | `400` or close preferred; `2xx` acceptable |
 
 ## What it sends
 
-A full CL.TE smuggling payload — a POST request with both Content-Length and Transfer-Encoding headers, where the body contains a chunked `0` terminator followed by a smuggled second request.
+A request with both `Content-Length` and `Transfer-Encoding: chunked` — the classic CL.TE conflict pattern.
 
 ```http
 POST / HTTP/1.1\r\n
@@ -26,62 +27,27 @@ Transfer-Encoding: chunked\r\n
 \r\n
 ```
 
-Followed immediately on the same connection by:
-
-```http
-GET / HTTP/1.1\r\n
-Host: localhost:8080\r\n
-\r\n
-```
-
-A CL-only parser reads 4 bytes (`0\r\n\r`) as the body and sees the follow-up `GET`. A TE parser sees the `0` chunk as end-of-body and processes the `GET` as a separate request.
-
+A CL-only parser reads 4 bytes (`0\r\n\r`) as the body. A TE parser sees the `0` chunk as end-of-body. The ambiguity is what makes this a smuggling vector in proxy chains.
 
 ## What the RFC says
 
-> "If a message is received with both a Transfer-Encoding and a Content-Length header field, the Transfer-Encoding overrides the Content-Length. Such a message might indicate an attempt to perform request smuggling (Section 11.2) or response splitting (Section 11.1) and ought to be handled as an error." — RFC 9112 §6.3
-
 > "A server MAY reject a request that contains both Content-Length and Transfer-Encoding or process such a request in accordance with the Transfer-Encoding alone. Regardless, the server MUST close the connection after responding to such a request to avoid the potential attacks." — RFC 9112 §6.1
 
-## Why it matters
-
-This is not a theoretical test — it's the actual attack payload. If the server processes the first request using CL and the second appears in the pipeline, the smuggling succeeded.
-
-## Deep Analysis
-
-### Relevant ABNF
-
-From RFC 9112 Section 6, the message body length algorithm depends on these headers:
-
-```
-Transfer-Encoding = #transfer-coding
-Content-Length    = 1*DIGIT
-message-body     = *OCTET
-```
-
-When both headers are present, the specification defines a strict precedence rule that eliminates ambiguity.
-
-### RFC Evidence
-
-> "If a message is received with both a Transfer-Encoding and a Content-Length header field, the Transfer-Encoding overrides the Content-Length. Such a message might indicate an attempt to perform request smuggling or response splitting and ought to be handled as an error." -- RFC 9112 Section 6.3
-
-> "A server MAY reject a request that contains both Content-Length and Transfer-Encoding or process such a request in accordance with the Transfer-Encoding alone. Regardless, the server MUST close the connection after responding to such a request to avoid the potential attacks." -- RFC 9112 Section 6.1
-
-> "A sender MUST NOT send a Content-Length header field in any message that contains a Transfer-Encoding header field." -- RFC 9112 Section 6.2
-
-### Chain of Reasoning
+> "If a message is received with both a Transfer-Encoding and a Content-Length header field, the Transfer-Encoding overrides the Content-Length. Such a message might indicate an attempt to perform request smuggling (Section 11.2) or response splitting (Section 11.1) and ought to be handled as an error." — RFC 9112 §6.3
 
-1. **Dual framing headers create ambiguity by design.** The CL.TE payload sends `Content-Length: 4` and `Transfer-Encoding: chunked` simultaneously. A CL-only parser reads exactly 4 bytes (`0\r\n\r`) as the body, leaving the trailing `\n` and the pipelined `GET` request on the connection. A TE-compliant parser reads the `0` chunk terminator and considers the body complete at a different boundary.
+## Why it matters
 
-2. **RFC 9112 Section 6.3 explicitly names this as a smuggling vector.** The specification does not merely discourage dual headers -- it calls out "request smuggling" by name and says the message "ought to be handled as an error." This is one of the rare cases where the RFC specifically names the attack it is trying to prevent.
+When both framing headers are present, different parsers in a proxy chain may disagree on where the body ends. A server that rejects the ambiguous request with `400` eliminates the risk entirely. A server that accepts it (processing via TE alone) is RFC-compliant but relies on connection closure to prevent exploitation.
 
-3. **The MUST-close requirement in Section 6.1 is the critical defense.** Even if the server chooses to process the request (using TE alone, as permitted), it MUST close the connection afterward. This prevents any leftover bytes from being interpreted as a subsequent request. A server that keeps the connection open after processing a dual-header request is vulnerable regardless of which framing method it chose.
+## Verdicts
 
-4. **Attack scenario.** An attacker sends the CL.TE payload to a proxy-origin pair. The proxy uses Content-Length (reads 4 bytes, forwards, then reads the `GET` as a separate pipelined request). The origin uses Transfer-Encoding (reads the `0` chunk, considers the POST done, then reads the `GET` -- but from the attacker's smuggled bytes, not from the proxy's pipeline). The origin now processes a request the proxy never authorized, potentially with attacker-controlled headers and path.
+- **Pass** — Server rejects with `400` or closes the connection (safest behavior)
+- **Warn** — Server responds with `2xx` (RFC-compliant if it processes via TE and closes the connection, but the lenient path)
+- **Fail** — Any other response
 
-### Scored / Unscored Justification
+## Scored / Unscored Justification
 
-This test is **scored** -- a `2xx` response results in a **Fail**. The RFC uses MUST-level language requiring connection closure after processing a dual CL+TE request, and the specification explicitly identifies this pattern as a smuggling vector. The test sends a pipelined follow-up `GET` on the same connection: if the server responds to it with `2xx`, it means the connection was kept alive after the ambiguous request, directly violating the MUST-close requirement and demonstrating exploitable behavior. There is no RFC-defensible reason for a server to keep the connection open in this scenario.
+This test is **scored**. Although the RFC uses MAY language, there is a clear preferred outcome: rejecting the ambiguous request is safer than accepting it. A `2xx` response counts as a warning rather than a pass, reflecting the security trade-off.
 
 ## Sources
 

docs/content/docs/smuggling/tecl-pipeline.md

@@ -8,13 +8,14 @@ weight: 9
 |---|---|
 | **Test ID** | `SMUG-TECL-PIPELINE` |
 | **Category** | Smuggling |
+| **Scored** | Yes |
 | **RFC** | [RFC 9112 §6.1](https://www.rfc-editor.org/rfc/rfc9112#section-6.1) |
-| **Requirement** | MUST close connection |
-| **Expected** | `400` or close |
+| **RFC Level** | MAY |
+| **Expected** | `400` or close preferred; `2xx` acceptable |
 
 ## What it sends
 
-A full TE.CL smuggling payload — the reverse of CLTE. The front-end uses Transfer-Encoding and the body is crafted so the back-end (using Content-Length) sees a smuggled request.
+The reverse of CL.TE — a request with `Transfer-Encoding: chunked` listed first, plus a conflicting `Content-Length`.
 
 ```http
 POST / HTTP/1.1\r\n
@@ -26,62 +27,27 @@ Content-Length: 30\r\n
 \r\n
 ```
 
-Followed immediately on the same connection by:
-
-```http
-GET / HTTP/1.1\r\n
-Host: localhost:8080\r\n
-\r\n
-```
-
-A TE parser sees the `0` chunk as end-of-body. A CL-only parser tries to read 30 bytes and consumes the follow-up `GET` as body data.
-
+A TE parser sees the `0` chunk as end-of-body (5 bytes consumed). A CL parser tries to read 30 bytes, consuming far more than the chunked body. The disagreement is what enables the TE.CL smuggling variant.
 
 ## What the RFC says
 
-> "If a message is received with both a Transfer-Encoding and a Content-Length header field, the Transfer-Encoding overrides the Content-Length. Such a message might indicate an attempt to perform request smuggling (Section 11.2) or response splitting (Section 11.1) and ought to be handled as an error." — RFC 9112 §6.3
-
 > "A server MAY reject a request that contains both Content-Length and Transfer-Encoding or process such a request in accordance with the Transfer-Encoding alone. Regardless, the server MUST close the connection after responding to such a request to avoid the potential attacks." — RFC 9112 §6.1
 
-## Why it matters
-
-The TE.CL variant is equally dangerous to CL.TE. Together, they cover both possible orderings of front-end/back-end preference.
-
-## Deep Analysis
-
-### Relevant ABNF
-
-From RFC 9112 Section 6:
-
-```
-Transfer-Encoding = #transfer-coding
-Content-Length    = 1*DIGIT
-message-body     = *OCTET
-```
-
-The TE.CL variant reverses the header order compared to CL.TE, but the same precedence rule applies: Transfer-Encoding overrides Content-Length.
-
-### RFC Evidence
-
-> "If a message is received with both a Transfer-Encoding and a Content-Length header field, the Transfer-Encoding overrides the Content-Length. Such a message might indicate an attempt to perform request smuggling or response splitting and ought to be handled as an error." -- RFC 9112 Section 6.3
-
-> "A server MAY reject a request that contains both Content-Length and Transfer-Encoding or process such a request in accordance with the Transfer-Encoding alone. Regardless, the server MUST close the connection after responding to such a request to avoid the potential attacks." -- RFC 9112 Section 6.1
-
-> "A sender MUST NOT send a Content-Length header field in any message that contains a Transfer-Encoding header field." -- RFC 9112 Section 6.2
-
-### Chain of Reasoning
+> "If a message is received with both a Transfer-Encoding and a Content-Length header field, the Transfer-Encoding overrides the Content-Length. Such a message might indicate an attempt to perform request smuggling (Section 11.2) or response splitting (Section 11.1) and ought to be handled as an error." — RFC 9112 §6.3
 
-1. **TE.CL reverses the parser disagreement.** In this variant, the front-end uses Transfer-Encoding (reads the `0` chunk, considers the POST body complete) while the back-end uses Content-Length (tries to read 30 bytes, consuming the pipelined `GET` as part of the POST body). The fundamental issue is identical to CL.TE: two parsers in the same chain disagree on where the first request's body ends.
+## Why it matters
 
-2. **The 30-byte Content-Length is carefully chosen.** The chunked body (`0\r\n\r\n`) is only 5 bytes. Content-Length says 30. A CL parser will attempt to read 25 more bytes from the connection, consuming part or all of the follow-up `GET` request. This means the back-end either hangs waiting for data, consumes the next request, or produces an error -- all of which indicate a desync.
+Together with CL.TE, this covers both orderings of the dual-header conflict. A proxy chain where one hop prefers TE and the other prefers CL is vulnerable to this variant. Rejecting the request outright is the safest defense.
 
-3. **The RFC treats both variants identically.** Section 6.3 does not distinguish CL+TE from TE+CL header ordering. The rule is the same: TE overrides CL, the message ought to be treated as an error, and Section 6.1 mandates connection closure regardless of how the server processes the request. A compliant server handles both CLTE and TECL with the same defensive behavior.
+## Verdicts
 
-4. **Attack scenario.** An attacker sends the TE.CL payload through a proxy. The proxy processes chunked encoding, sees the empty `0` terminator, and forwards the completed POST. The back-end, using Content-Length, reads 30 bytes -- consuming the chunked body plus the beginning of the next legitimate request from the proxy's pipeline. The back-end now has a corrupted view of the request stream, and the attacker can inject arbitrary request fragments that the proxy never inspected.
+- **Pass** — Server rejects with `400` or closes the connection (safest behavior)
+- **Warn** — Server responds with `2xx` (RFC-compliant if it processes via TE and closes the connection, but the lenient path)
+- **Fail** — Any other response
 
-### Scored / Unscored Justification
+## Scored / Unscored Justification
 
-This test is **scored** -- a `2xx` response results in a **Fail**. The reasoning mirrors CLTE-PIPELINE exactly: RFC 9112 Section 6.1 uses MUST-level language requiring connection closure after a dual CL+TE request. If the pipelined `GET` receives a `2xx` response, the server kept the connection open and is demonstrably vulnerable to the TE.CL smuggling variant. Both CL.TE and TE.CL are scored because the RFC requirement is the same for both, and both represent direct, exploitable attack payloads.
+This test is **scored**. Although the RFC uses MAY language, there is a clear preferred outcome: rejecting the ambiguous request is safer than accepting it. The reasoning mirrors CLTE-PIPELINE exactly.
 
 ## Sources
 

src/Http11Probe/Client/RawTcpClient.cs

@@ -157,7 +157,7 @@ public ConnectionState CheckConnectionState()
 
     private static int FindHeaderTerminator(ReadOnlySpan<byte> data)
     {
-        ReadOnlySpan<byte> terminator = [0x0D, 0x0A, 0x0D, 0x0A];
+        ReadOnlySpan<byte> terminator = "\r\n\r\n"u8;
         return data.IndexOf(terminator);
     }
 

src/Http11Probe/Response/HttpResponse.cs

@@ -3,10 +3,16 @@ namespace Http11Probe.Response;
 public sealed class HttpResponse
 {
     public required int StatusCode { get; init; }
+    
     public required string ReasonPhrase { get; init; }
+    
     public required string HttpVersion { get; init; }
+    
     public required IReadOnlyDictionary<string, string> Headers { get; init; }
+    
     public bool IsEmpty { get; init; }
+    
     public string? RawResponse { get; init; }
+    
     public string? Body { get; init; }
 }

src/Http11Probe/Runner/TestRunOptions.cs

@@ -5,9 +5,14 @@ namespace Http11Probe.Runner;
 public sealed class TestRunOptions
 {
     public required string Host { get; init; }
+    
     public required int Port { get; init; }
+    
     public TimeSpan ConnectTimeout { get; init; } = TimeSpan.FromSeconds(5);
+    
     public TimeSpan ReadTimeout { get; init; } = TimeSpan.FromSeconds(5);
+    
     public TestCategory? CategoryFilter { get; init; }
+    
     public HashSet<string>? TestIdFilter { get; init; }
 }

src/Http11Probe/Runner/TestRunReport.cs

@@ -5,13 +5,21 @@ namespace Http11Probe.Runner;
 public sealed class TestRunReport
 {
     public required IReadOnlyList<TestResult> Results { get; init; }
+    
     public required TimeSpan TotalDuration { get; init; }
+    
 
     public int PassCount => Results.Count(r => r.TestCase.Scored && r.Verdict == TestVerdict.Pass);
+    
     public int FailCount => Results.Count(r => r.TestCase.Scored && r.Verdict == TestVerdict.Fail);
+    
     public int WarnCount => Results.Count(r => r.TestCase.Scored && r.Verdict == TestVerdict.Warn);
+    
     public int ScoredCount => PassCount + FailCount + WarnCount;
+    
     public int SkipCount => Results.Count(r => r.Verdict == TestVerdict.Skip);
+    
     public int ErrorCount => Results.Count(r => r.Verdict == TestVerdict.Error);
+    
     public int UnscoredCount => Results.Count(r => !r.TestCase.Scored && r.Verdict != TestVerdict.Skip);
 }

src/Http11Probe/Runner/TestRunner.cs

@@ -88,20 +88,9 @@ private async Task<TestResult> RunSingleAsync(TestCase testCase, TestContext con
             var (data, length, readState, drainCaughtData) = await client.ReadResponseAsync();
             var response = ResponseParser.TryParse(data.AsSpan(), length);
 
-            HttpResponse? followUpResponse = null;
             var connectionState = readState;
 
-            // If follow-up is needed and connection is still open
-            if (testCase.FollowUpPayloadFactory is not null && connectionState == ConnectionState.Open)
-            {
-                var followUpPayload = testCase.FollowUpPayloadFactory(context);
-                await client.SendAsync(followUpPayload);
-
-                var (fuData, fuLength, fuState, _) = await client.ReadResponseAsync();
-                followUpResponse = ResponseParser.TryParse(fuData.AsSpan(), fuLength);
-                connectionState = fuState;
-            }
-            else if (connectionState == ConnectionState.Open && !testCase.RequiresConnectionReuse)
+            if (connectionState == ConnectionState.Open)
             {
                 // Brief pause then check if server closed the connection
                 await Task.Delay(50);
@@ -116,7 +105,6 @@ private async Task<TestResult> RunSingleAsync(TestCase testCase, TestContext con
                 TestCase = testCase,
                 Verdict = verdict,
                 Response = response,
-                FollowUpResponse = followUpResponse,
                 ConnectionState = connectionState,
                 BehavioralNote = behavioralNote,
                 RawRequest = rawRequest,