Skip to content

WebServer malformed request hardening for REST and legacy HTML

Summary

Harden malformed request handling at the WebServer boundary while preserving valid legacy HTML and REST behavior.

Beta 0.7.3 Classification

Release Gate. This must land before the first public release because the REST API and legacy HTML server share the same embedded WebServer boundary. Malformed REST requests must fail as REST without falling into legacy login/session behavior.

Execution Plan

Historical release context: Beta 0.7.3 REST and Arr execution plan.

Acceptance Criteria

  • [x] invalid JSON, non-object JSON, truncated body, unsupported method, and unsupported route are tested
  • [x] content-type mismatches and encoded path oddities do not escape the REST routing model
  • [x] oversized or suspicious request bodies fail cleanly without large allocation spikes
  • [x] REST routes never fall back to HTML login/session behavior
  • [x] legacy HTML routes still render after REST hardening

Completion Evidence

  • App commits: 8d324d4, 40bac28, 90c6352, 41964c8.
  • Test commits: cee7499, 214b327, 2746ef1, 7b002f2, f3d8923, e0f8ef6, aea6934.
  • Commands: python -m emule_workspace build tests --config Debug --platform x64; python -m emule_workspace test all --config Debug --platform x64.
  • Artifacts: workspaces\v0.72a\state\build-logs\20260506-173324; repos\emulebb-build-tests\reports\native-coverage\20260506-173327-eMulebb-workspace-v0.72a-eMule-main-x64-Debug.
  • Native tests passed 481/481 cases and 2679/2679 assertions.

Relationship To Other Items

  • gates CI-015
  • complements BUG-069, BUG-073, and BUG-075