rack-libinjection 0.1.0

data/samples/rack_query_hot_path.rb

@@ -0,0 +1,176 @@
+# frozen_string_literal: true
+
+# Rack middleware hot-path sample for the raw query-string surface:
+#   Rack::LibInjection.new(app, scan: [:query]).call(env)
+#
+# This path avoids Rack nested param parsing and scans the raw query string plus
+# decoded variants. It is a fast WAF-style signal surface, not a semantic params
+# walker replacement.
+#
+# Run:
+#   bundle exec ruby samples/rack_query_hot_path.rb
+#
+# Optional env:
+#   PAYLOAD=clean|sqli|xss DURATION=20 PREHEAT_ITERATIONS=100 DISABLE_GC=0 \
+#     THREATS=sqli,xss PATH_DECODE_DEPTH=2 bundle exec ruby samples/rack_query_hot_path.rb
+
+$stdout.sync = true
+$stderr.sync = true
+$LOAD_PATH.unshift(File.expand_path("../lib", __dir__))
+
+require "rack/mock"
+require "rack/libinjection"
+
+payload_mode = ENV.fetch("PAYLOAD", "clean")
+threats = ENV.fetch("THREATS", "sqli,xss").split(",").map { |value| value.strip.to_sym }
+path_decode_depth = Integer(ENV.fetch("PATH_DECODE_DEPTH", "2"))
+sleep_before_hot_loop = Float(ENV.fetch("SLEEP_BEFORE_HOT_LOOP", "7.0"))
+duration = Float(ENV.fetch("DURATION", "20.0"))
+preheat_iterations = Integer(ENV.fetch("PREHEAT_ITERATIONS", "100"))
+disable_gc = ENV.fetch("DISABLE_GC", "0") != "0"
+sample_name = "rack_libinjection_query_hot_path"
+native_grep = "Rack::LibInjection|rack/libinjection|LibInjection|libinjection|rb_li_|li_input_|li_scan_|libinjection_sqli|libinjection_xss|collect_attacks_from_env|scan_query_into|scan_query_value_into|scan_url_encoded_string_into|scan_string_into|detect_url_encoded_raw|li_url_decode|li_url_encoded_candidate"
+
+ATTACK_ENV_KEY = Rack::LibInjection::ATTACK_ENV_KEY
+
+def monotonic
+  Process.clock_gettime(Process::CLOCK_MONOTONIC)
+end
+
+def gc_snapshot
+  stat = GC.stat
+
+  {
+    total_allocated_objects: stat.fetch(:total_allocated_objects),
+    minor_gc_count: stat.fetch(:minor_gc_count),
+    major_gc_count: stat.fetch(:major_gc_count)
+  }
+end
+
+def gc_delta(before, after)
+  before.each_with_object({}) do |(key, value), out|
+    out[key] = after.fetch(key) - value
+  end
+end
+
+def payload_for(mode)
+  case mode
+  when "clean" then "normal search term"
+  when "sqli"  then "1 OR 1=1--"
+  when "xss"   then "<script>alert(1)</script>"
+  else
+    raise ArgumentError, "PAYLOAD must be one of: clean, sqli, xss"
+  end
+end
+
+def expected_min_attacks(mode, threats)
+  return 0 if mode == "clean"
+  return 0 if mode == "sqli" && !threats.include?(:sqli)
+  return 0 if mode == "xss" && !threats.include?(:xss)
+
+  1
+end
+
+def build_query(payload)
+  Rack::Utils.build_nested_query(
+    "q" => payload,
+    "profile" => {
+      "name" => "Roman",
+      "filters" => ["recent", payload, "safe"]
+    },
+    "page" => "1"
+  )
+end
+
+payload = payload_for(payload_mode)
+expected_min = expected_min_attacks(payload_mode, threats)
+query = build_query(payload)
+path = "/search?#{query}"
+base_env = Rack::MockRequest.env_for(path)
+
+app = ->(_env) { [204, {}, []] }
+middleware = Rack::LibInjection.new(
+  app,
+  mode: :report,
+  scan: [:query],
+  threats: threats,
+  path_decode_depth: path_decode_depth,
+  notify_skipped: false
+)
+
+preheat_iterations.times do
+  env = base_env.dup
+  status, = middleware.call(env)
+  attacks = env.fetch(ATTACK_ENV_KEY)
+  raise "preheat: unexpected status #{status}" unless status == 204
+  raise "preheat: expected >= #{expected_min} attacks, got #{attacks.inspect}" if attacks.length < expected_min
+end
+
+sample_seconds = (sleep_before_hot_loop + duration + 15).ceil
+sample_file = "/tmp/#{sample_name}.sample"
+txt_file = File.expand_path("results/#{sample_name}.txt", __dir__)
+txt_dir = File.dirname(txt_file)
+
+puts "pid=#{Process.pid}"
+puts "ruby=#{RUBY_DESCRIPTION}"
+puts "platform=#{RUBY_PLATFORM}"
+puts "mode=#{sample_name}"
+puts "call=Rack::LibInjection.new(app, scan: [:query]).call(env)"
+puts "payload=#{payload_mode}"
+puts "threats=#{threats.join(',')}"
+puts "path_decode_depth=#{path_decode_depth}"
+puts "query_bytes=#{query.bytesize}"
+puts "disable_gc=#{disable_gc}"
+puts "duration=#{duration}"
+puts "preheat_iterations=#{preheat_iterations}"
+puts "sample_seconds=#{sample_seconds}"
+puts "sample_file=#{sample_file}"
+puts "txt_file=#{txt_file}"
+puts
+puts "Copy this one-line capture command:"
+puts %(mkdir -p "#{txt_dir}"; OUT="#{txt_file}"; SAMPLE="#{sample_file}"; { sample #{Process.pid} #{sample_seconds} -f "$SAMPLE"; echo; echo "===== focused Rack/native symbols ====="; filtercalltree "$SAMPLE" | grep -E "#{native_grep}" | head -360; echo; echo "===== filtercalltree head -360 ====="; filtercalltree "$SAMPLE" | head -360; } 2>&1 | tee "$OUT")
+puts
+puts "Expected hot symbols:"
+puts "  Rack::LibInjection#call / #collect_attacks_from_env"
+puts "  Rack::LibInjection#scan_query_value_into / #scan_url_encoded_string_into"
+puts "  LibInjection.detect_url_encoded_raw -> rb_li_detect_url_encoded_raw"
+puts "  li_input_prepare / li_scan_run / li_scan_perform"
+puts "  libinjection_sqli / libinjection_xss"
+puts
+puts "sleep=#{sleep_before_hot_loop} seconds before hot loop"
+puts
+
+begin
+  GC.start
+  GC.disable if disable_gc
+  before_gc = gc_snapshot
+  sleep sleep_before_hot_loop
+
+  count = 0
+  total_attacks = 0
+  started = monotonic
+  deadline = started + duration
+
+  while monotonic < deadline
+    env = base_env.dup
+    status, = middleware.call(env)
+    raise "hot_loop: unexpected status #{status}" unless status == 204
+
+    attacks = env.fetch(ATTACK_ENV_KEY)
+    total_attacks += attacks.length
+    count += 1
+  end
+
+  elapsed = monotonic - started
+  after_gc = gc_snapshot
+
+  puts "count=#{count}"
+  puts "total_attacks=#{total_attacks}"
+  puts "attacks_per_request=#{format('%.6f', total_attacks.to_f / [count, 1].max)}"
+  puts "elapsed=#{format('%.6f', elapsed)}"
+  puts "requests_per_sec=#{format('%.6f', count / elapsed)}"
+  puts "sec_per_request=#{format('%.9f', elapsed / [count, 1].max)}"
+  puts "gc_delta=#{gc_delta(before_gc, after_gc)}"
+ensure
+  GC.enable
+end

data/script/fuzz_smoke.rb

@@ -0,0 +1,39 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+$LOAD_PATH.unshift File.expand_path("../lib", __dir__)
+
+require "securerandom"
+require "libinjection"
+
+PAYLOADS = [
+  "",
+  "1 OR 1=1--",
+  "<script>alert(1)</script>",
+  "abc\0def".b,
+  "\xFF\xFE1 OR 1=1--".b,
+  ("a" * 2_048) + " 1 OR 1=1--",
+  "1 OR 1=1--".encode(Encoding::UTF_16LE)
+].freeze
+
+PAYLOADS.each do |payload|
+  LibInjection.detect(payload)
+  LibInjection.sqli?(payload)
+  LibInjection.xss?(payload)
+end
+
+1_000.times do |i|
+  bytes = SecureRandom.random_bytes(rand(0..4096))
+  bytes.force_encoding([Encoding::BINARY, Encoding::UTF_8].sample)
+
+  LibInjection.detect_raw(bytes)
+  LibInjection.sqli?(bytes)
+  LibInjection.xss?(bytes)
+rescue LibInjection::ParserError
+  next
+rescue StandardError => e
+  warn "fuzz smoke failed at iteration #{i}: #{e.class}: #{e.message}"
+  raise
+end
+
+puts "fuzz smoke: ok"

data/script/vendor_libs.rb

@@ -0,0 +1,227 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "digest"
+require "fileutils"
+require "net/http"
+require "uri"
+require "optparse"
+require "rubygems/package"
+require "tmpdir"
+require "zlib"
+
+VENDOR_ROOT = File.expand_path("../ext/libinjection/vendor", __dir__)
+LIB_DIR = File.join(VENDOR_ROOT, "libinjection")
+MANIFEST_PATH = File.join(LIB_DIR, ".vendored")
+NORMALIZED_MTIME = Time.utc(2000, 1, 1).freeze
+MANIFEST_HEADER = "# rack-libinjection vendor manifest. Do not edit by hand. Regenerate with: ruby script/vendor_libs.rb"
+
+PIN = {
+  name: "libinjection",
+  version: "4.0.0",
+  url: "https://codeload.github.com/libinjection/libinjection/tar.gz/v%<version>s?dummy=/",
+  strip_prefix: "libinjection-%<version>s",
+  sha256: "a69d27e3d98608df89203c4e1c00c034fe0f8c723017e4088ab53ce3ff5a9129",
+  size: 2_237_310,
+  keep: %w[
+    COPYING
+    README.md
+    MIGRATION.md
+    src/libinjection.h
+    src/libinjection_error.h
+    src/libinjection_html5.h
+    src/libinjection_sqli.h
+    src/libinjection_sqli_data.h
+    src/libinjection_xss.h
+    src/libinjection_sqli.c
+    src/libinjection_xss.c
+    src/libinjection_html5.c
+  ]
+}.freeze
+
+options = { mode: :sync }
+OptionParser.new do |opts|
+  opts.banner = "Usage: script/vendor_libs.rb [--sync | --verify]"
+  opts.on("--sync", "Download and vendor pinned libinjection source") { options[:mode] = :sync }
+  opts.on("--verify", "Verify vendored source tree without network") { options[:mode] = :verify }
+end.parse!
+
+def normalize_tree!(directory)
+  Dir.glob(File.join(directory, "**", "*"), File::FNM_DOTMATCH).each do |path|
+    base = File.basename(path)
+    next if base == "." || base == ".." || File.symlink?(path)
+
+    if File.file?(path)
+      File.chmod(0o644, path)
+      File.utime(NORMALIZED_MTIME, NORMALIZED_MTIME, path)
+    elsif File.directory?(path)
+      File.chmod(0o755, path)
+    end
+  end
+end
+
+def tree_sha256_for(directory)
+  entries = Dir.glob(File.join(directory, "**", "*"), File::FNM_DOTMATCH)
+               .reject { |path| File.directory?(path) || File.symlink?(path) || %w[. .. .vendored].include?(File.basename(path)) }
+               .sort
+
+  digest = Digest::SHA256.new
+  entries.each do |path|
+    relative = path.sub(/\A#{Regexp.escape(directory)}\/?/, "")
+    digest << relative << "\0"
+    digest << File.binread(path)
+    digest << "\0"
+  end
+  digest.hexdigest
+end
+
+def manifest_body(tree_sha256)
+  [
+    "libinjection_version=#{PIN[:version]}",
+    "libinjection_url=#{format(PIN[:url], version: PIN[:version])}",
+    "libinjection_archive_sha256=#{PIN[:sha256]}",
+    "libinjection_tree_sha256=#{tree_sha256}"
+  ]
+end
+
+def write_manifest!(tree_sha256)
+  content = ([MANIFEST_HEADER] + manifest_body(tree_sha256)).join("\n") + "\n"
+  File.write(MANIFEST_PATH, content)
+  File.chmod(0o644, MANIFEST_PATH)
+  File.utime(NORMALIZED_MTIME, NORMALIZED_MTIME, MANIFEST_PATH)
+end
+
+def parse_manifest
+  return {} unless File.file?(MANIFEST_PATH)
+
+  File.readlines(MANIFEST_PATH, chomp: true).each_with_object({}) do |line, kv|
+    next if line.empty? || line.start_with?("#")
+
+    key, value = line.split("=", 2)
+    kv[key] = value if key && value
+  end
+end
+
+def verify_archive!(path)
+  size = File.size(path)
+  abort "Archive size mismatch: expected #{PIN[:size]}, got #{size}" unless size == PIN[:size]
+
+  actual = Digest::SHA256.file(path).hexdigest
+  abort "SHA256 mismatch: expected #{PIN[:sha256]}, got #{actual}" unless actual == PIN[:sha256]
+end
+
+def http_download_to_file!(url, path, redirect_limit: 3)
+  abort "too many redirects while downloading #{url}" if redirect_limit.negative?
+
+  uri = URI(url)
+  Net::HTTP.start(
+    uri.host,
+    uri.port,
+    use_ssl: uri.scheme == "https",
+    open_timeout: 10,
+    read_timeout: 30
+  ) do |http|
+    request = Net::HTTP::Get.new(uri)
+    http.request(request) do |response|
+      case response
+      when Net::HTTPSuccess
+        File.open(path, "wb") { |file| response.read_body { |chunk| file.write(chunk) } }
+      when Net::HTTPRedirection
+        location = response["location"]
+        abort "redirect without Location while downloading #{url}" unless location
+
+        return http_download_to_file!(URI.join(uri, location).to_s, path, redirect_limit: redirect_limit - 1)
+      else
+        abort "download failed: HTTP #{response.code} #{response.message}"
+      end
+    end
+  end
+end
+
+def download_archive!(path)
+  url = format(PIN[:url], version: PIN[:version])
+  puts "Downloading #{url}"
+
+  attempts = 0
+  begin
+    attempts += 1
+    http_download_to_file!(url, path)
+  rescue SystemCallError, IOError, Timeout::Error, Net::OpenTimeout, Net::ReadTimeout => e
+    retry if attempts < 3
+
+    abort "download failed after #{attempts} attempts: #{e.class}: #{e.message}"
+  end
+
+  verify_archive!(path)
+end
+
+def extract_archive!(archive)
+  strip_prefix = format(PIN[:strip_prefix], version: PIN[:version])
+  prefix_re = /\A#{Regexp.escape(strip_prefix)}\//
+
+  FileUtils.rm_rf(LIB_DIR)
+  FileUtils.mkdir_p(LIB_DIR)
+
+  Gem::Package::TarReader.new(Zlib::GzipReader.open(archive)) do |tar|
+    tar.each do |entry|
+      relative = entry.full_name.sub(prefix_re, "")
+      next if relative.empty? || relative == entry.full_name
+      next unless PIN[:keep].include?(relative)
+      next unless entry.file?
+
+      target = File.join(LIB_DIR, relative)
+      FileUtils.mkdir_p(File.dirname(target))
+      File.binwrite(target, entry.read)
+    end
+  end
+
+  missing = PIN[:keep].reject { |relative| File.file?(File.join(LIB_DIR, relative)) }
+  abort "Missing expected vendored files:\n  #{missing.join("\n  ")}" unless missing.empty?
+
+  normalize_tree!(LIB_DIR)
+  tree_sha256_for(LIB_DIR)
+end
+
+def verify_vendor!
+  failures = []
+  manifest = parse_manifest
+
+  expected_files = PIN[:keep] + [".vendored"]
+  missing = expected_files.reject { |relative| File.file?(File.join(LIB_DIR, relative)) }
+  failures << "missing files:\n  #{missing.join("\n  ")}" unless missing.empty?
+
+  if manifest["libinjection_archive_sha256"] != PIN[:sha256]
+    failures << "manifest archive sha256 does not match PIN"
+  end
+
+  if File.directory?(LIB_DIR)
+    actual_tree = tree_sha256_for(LIB_DIR)
+    manifest_tree = manifest["libinjection_tree_sha256"]
+    failures << "tree_sha256 mismatch: manifest=#{manifest_tree.inspect} actual=#{actual_tree}" if manifest_tree && manifest_tree != actual_tree
+  end
+
+  if failures.empty?
+    puts "vendor verify: ok"
+    exit 0
+  end
+
+  failures.each { |failure| warn failure }
+  exit 1
+end
+
+case options[:mode]
+when :verify
+  verify_vendor!
+when :sync
+  FileUtils.mkdir_p(VENDOR_ROOT)
+  Dir.mktmpdir("rack-libinjection-vendor-") do |tmpdir|
+    archive = File.join(tmpdir, "libinjection-#{PIN[:version]}.tar.gz")
+    download_archive!(archive)
+    tree = extract_archive!(archive)
+    write_manifest!(tree)
+    puts "vendor sync: ok"
+    puts "  libinjection: version=#{PIN[:version]} archive_sha256=#{PIN[:sha256]} tree_sha256=#{tree}"
+  end
+else
+  abort "unknown mode: #{options[:mode].inspect}"
+end

data/test/test_helper.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+$LOAD_PATH.unshift File.expand_path("../lib", __dir__)
+
+require "minitest/autorun"
+require "rack/mock"
+require "rack/libinjection"

data/test/test_libinjection.rb

@@ -0,0 +1,223 @@
+# frozen_string_literal: true
+
+require_relative "test_helper"
+
+class TestLibInjection < Minitest::Test
+  def test_sqli_detection
+    assert_equal true, LibInjection.sqli?("1 OR 1=1--")
+  end
+
+  def test_sqli_fingerprint
+    fingerprint = LibInjection.sqli_fingerprint("1 OR 1=1--")
+    assert_kind_of String, fingerprint
+    refute_empty fingerprint
+  end
+
+  def test_benign_string
+    assert_equal false, LibInjection.sqli?("ordinary search text")
+    assert_nil LibInjection.sqli_fingerprint("ordinary search text")
+  end
+
+  def test_empty_string_is_safe
+    assert_equal false, LibInjection.sqli?("")
+    assert_equal false, LibInjection.xss?("")
+    assert_nil LibInjection.detect_raw("")
+  end
+
+  def test_nil_is_rejected
+    assert_raises TypeError do
+      LibInjection.detect_raw(nil)
+    end
+  end
+
+  def test_binary_invalid_utf8_is_scanned_as_bytes
+    input = "\xFF\xFE1 OR 1=1--".b
+    input.force_encoding(Encoding::UTF_8)
+
+    assert_equal false, input.valid_encoding?
+    assert_equal :sqli, LibInjection.detect_raw(input).fetch(0)
+  end
+
+  def test_null_bytes_do_not_crash
+    input = "abc\0<script>alert(1)</script>".b
+
+    assert_equal :xss, LibInjection.detect_raw(input).fetch(0)
+  end
+
+  def test_utf16_is_not_implicitly_decoded
+    input = "1 OR 1=1--".encode(Encoding::UTF_16LE)
+
+    assert_nil LibInjection.detect_raw(input)
+  end
+
+  def test_large_input_uses_nogvl_path_safely
+    input = "1 OR 1=1--" + ("a" * 2_048)
+
+    assert_equal :sqli, LibInjection.detect_raw(input).fetch(0)
+  end
+
+  def test_detect_raw_sqli
+    match = LibInjection.detect_raw("1 OR 1=1--")
+
+    assert_equal :sqli, match[0]
+    assert_kind_of String, match[1]
+  end
+
+  def test_detect_raw_xss
+    match = LibInjection.detect_raw("<script>alert(1)</script>")
+
+    assert_equal :xss, match[0]
+    assert_nil match[1]
+  end
+
+  def test_detect_raw_benign
+    assert_nil LibInjection.detect_raw("ordinary search text")
+  end
+
+  def test_detect_result
+    result = LibInjection.detect("1 OR 1=1--")
+    assert result.detected?
+    assert result.sqli?
+  end
+
+  def test_sqli_result
+    result = LibInjection.sqli_result("1 OR 1=1--")
+
+    assert_equal :sqli, result[:type]
+    assert_equal true, result[:detected]
+    assert_kind_of String, result[:fingerprint]
+    assert_kind_of Hash, result[:stats]
+  end
+
+  def test_sqli_result_rejects_invalid_options
+    assert_raises ArgumentError do
+      LibInjection.sqli_result("1 OR 1=1--", context: :unknown)
+    end
+
+    assert_raises ArgumentError do
+      LibInjection.sqli_result("1 OR 1=1--", quote: :unknown)
+    end
+
+    assert_raises ArgumentError do
+      LibInjection.sqli_result("1 OR 1=1--", dialect: :unknown)
+    end
+  end
+
+  def test_sqli_contexts
+    contexts = LibInjection.sqli_contexts("1 OR 1=1--")
+
+    refute_empty contexts
+    assert contexts.any? { |ctx| ctx[:detected] }
+    assert contexts.all? { |ctx| ctx.key?(:context) && ctx.key?(:flags) }
+  end
+
+  def test_sqli_context_flags
+    assert_equal LibInjection::SQLI_CONTEXTS.fetch(:single_mysql),
+                 LibInjection.sqli_flags(context: :single_mysql)
+    assert_equal LibInjection::SQLI_QUOTES.fetch(:single) | LibInjection::SQLI_DIALECTS.fetch(:mysql),
+                 LibInjection.sqli_flags(quote: :single, dialect: :mysql)
+  end
+
+  def test_sqli_fingerprint_for_context
+    fp = LibInjection.sqli_fingerprint_for("1 OR 1=1--", context: :none_ansi)
+
+    assert_kind_of String, fp
+    refute_empty fp
+  end
+
+  def test_sqli_tokens
+    tokens = LibInjection.sqli_tokens("1 OR 1=1--")
+
+    refute_empty tokens
+    assert_equal :number, tokens.first[:type]
+    assert_equal "1", tokens.first[:value]
+  end
+
+  def test_sqli_tokens_rejects_invalid_options
+    assert_raises ArgumentError do
+      LibInjection.sqli_tokens("1 OR 1=1--", context: :unknown)
+    end
+  end
+
+  def test_sqli_folded_tokens
+    tokens = LibInjection.sqli_tokens("1 OR 1=1--", fold: true)
+
+    refute_empty tokens
+    assert tokens.size <= LibInjection.sqli_tokens("1 OR 1=1--").size
+  end
+
+  def test_xss_detection
+    assert_equal true, LibInjection.xss?("<script>alert(1)</script>")
+  end
+
+  def test_xss_result
+    result = LibInjection.xss_result("<script>alert(1)</script>")
+
+    assert_equal :xss, result[:type]
+    assert_equal true, result[:detected]
+  end
+
+  def test_xss_result_rejects_invalid_options
+    assert_raises ArgumentError do
+      LibInjection.xss_result("<script>alert(1)</script>", context: :unknown)
+    end
+  end
+
+  def test_xss_contexts
+    contexts = LibInjection.xss_contexts("<script>alert(1)</script>")
+
+    refute_empty contexts
+    assert contexts.any? { |ctx| ctx[:detected] }
+  end
+
+  def test_html5_tokens
+    tokens = LibInjection.html5_tokens("<script>alert(1)</script>")
+
+    refute_empty tokens
+    assert_equal :tag_name_open, tokens.first[:type]
+    assert_equal "script", tokens.first[:value]
+  end
+
+  def test_html5_tokens_rejects_invalid_options
+    assert_raises ArgumentError do
+      LibInjection.html5_tokens("<script>alert(1)</script>", context: :unknown)
+    end
+  end
+
+  def test_html5_context_flags
+    assert_equal LibInjection::HTML5_CONTEXTS.fetch(:value_double_quote),
+                 LibInjection.xss_flags(context: :value_double_quote)
+  end
+  def test_detect_url_encoded_raw_decodes_twice
+    match = LibInjection.detect_url_encoded_raw("q=1%2520OR%25201%253D1--", 2, true, 3)
+
+    assert_equal :sqli, match.fetch(0)
+  end
+
+  def test_detect_url_encoded_raw_respects_depth
+    assert_nil LibInjection.detect_url_encoded_raw("q=1%2520OR%25201%253D1--", 1, true, 3)
+  end
+
+  def test_detect_url_encoded_raw_can_scan_only_xss
+    match = LibInjection.detect_url_encoded_raw("q=%3Cscript%3Ealert(1)%3C/script%3E", 2, true, 2)
+
+    assert_equal :xss, match.fetch(0)
+  end
+
+  def test_detect_url_encoded_raw_accepts_malformed_percent_escapes
+    assert_nil LibInjection.detect_url_encoded_raw("q=%ZZordinary", 2, true, 3)
+  end
+
+  def test_detect_url_encoded_raw_rejects_excessive_depth
+    assert_raises ArgumentError do
+      LibInjection.detect_url_encoded_raw("q=ordinary", 33, true, 3)
+    end
+  end
+
+  def test_detect_url_encoded_raw_rejects_invalid_mask
+    assert_raises ArgumentError do
+      LibInjection.detect_url_encoded_raw("q=ordinary", 2, true, 0)
+    end
+  end
+
+end