{"id":24328878,"url":"https://github.com/zookzook/bandit-plug-parser-test","last_synced_at":"2026-04-24T14:06:36.736Z","repository":{"id":271362392,"uuid":"913189996","full_name":"zookzook/bandit-plug-parser-test","owner":"zookzook","description":"Demo app showing buffer issue when sending invalid JSON payloads","archived":false,"fork":false,"pushed_at":"2025-01-07T08:02:07.000Z","size":37,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-11T09:18:55.895Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Elixir","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/zookzook.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-01-07T07:53:30.000Z","updated_at":"2025-01-07T08:02:10.000Z","dependencies_parsed_at":null,"dependency_job_id":"58b3cce2-3db9-4976-a349-67242f4a19cc","html_url":"https://github.com/zookzook/bandit-plug-parser-test","commit_stats":null,"previous_names":["zookzook/bandit-plug-parser-test"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/zookzook/bandit-plug-parser-test","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zookzook%2Fbandit-plug-parser-test","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zookzook%2Fbandit-plug-parser-test/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zookzook%2Fbandit-plug-parser-test/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zookzook%2Fbandit-plug-parser-test/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/zookzook","download_url":"https://codeload.github.com/zookzook/bandit-plug-parser-test/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zookzook%2Fbandit-plug-parser-test/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32226460,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-24T13:21:15.438Z","status":"ssl_error","status_checked_at":"2026-04-24T13:21:15.005Z","response_time":64,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-01-17T23:32:32.381Z","updated_at":"2026-04-24T14:06:36.721Z","avatar_url":"https://github.com/zookzook.png","language":"Elixir","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ParserTest\n\nShows an issue if a client sends an invalid JSON using keep-alive connections:\n\n```bash\n  curl -X 'POST' \\\n  'http://localhost:4000/api' \\\n  -H 'accept: */*' \\\n  -H 'Content-Type: application/json' \\\n  -d '{\"hello\": broken}' \\\n  --next -X 'POST' \\\n  'http://localhost:4000/api' \\\n  -H 'accept: */*' \\\n  -H 'Content-Type: application/json' \\\n  -d '{\"hello\": \"world\"}'\n```\nsends two requests using the same keepalive connection. The first request is invalid\nwhile the second is valid. It results in two errors:\n\n```\n[info] POST /api\n[debug] ** (Plug.Parsers.ParseError) malformed request, a Jason.DecodeError exception was raised with message \"unexpected byte at position 10: 0x62 (\\\"b\\\")\"\n    (plug 1.16.1) lib/plug/parsers/json.ex:95: Plug.Parsers.JSON.decode/3\n    (plug 1.16.1) lib/plug/parsers.ex:340: Plug.Parsers.reduce/8\n    (parser_test 0.1.0) lib/parser_test_web/endpoint.ex:1: ParserTestWeb.Endpoint.plug_builder_call/2\n    (parser_test 0.1.0) deps/plug/lib/plug/debugger.ex:136: ParserTestWeb.Endpoint.\"call (overridable 3)\"/2\n    (parser_test 0.1.0) lib/parser_test_web/endpoint.ex:1: ParserTestWeb.Endpoint.call/2\n    (phoenix 1.7.18) lib/phoenix/endpoint/sync_code_reload_plug.ex:22: Phoenix.Endpoint.SyncCodeReloadPlug.do_call/4\n    (bandit 1.6.2) lib/bandit/pipeline.ex:129: Bandit.Pipeline.call_plug!/2\n    (bandit 1.6.2) lib/bandit/pipeline.ex:40: Bandit.Pipeline.run/4\n    (bandit 1.6.2) lib/bandit/http1/handler.ex:12: Bandit.HTTP1.Handler.handle_data/3\n    (bandit 1.6.2) lib/bandit/delegating_handler.ex:18: Bandit.DelegatingHandler.handle_data/3\n    (bandit 1.6.2) lib/bandit/delegating_handler.ex:8: Bandit.DelegatingHandler.handle_continue/2\n    (stdlib 6.0.1) gen_server.erl:2163: :gen_server.try_handle_continue/3\n    (stdlib 6.0.1) gen_server.erl:2072: :gen_server.loop/7\n    (stdlib 6.0.1) proc_lib.erl:329: :proc_lib.init_p_do_apply/3\n\n[error] ** (Bandit.HTTPError) Request line HTTP error: \"{\\\"hello\\\": broken}POST /api HTTP/1.1\\r\\n\"\n```\nPlug uses an exception and a 400 status code. \nWhile throwing the exception the changes to the buffer used to parse the invalid JSON is dropped. \nWhen using keepalive connections, Bandit does not close the connection in case of this status code, \nthe buffer is reused for the next request\n\nThe next request is added to the buffer. This leads to a wrong request and the connection is closed:\n\n```elixir\n  defp handle_error(kind, reason, stacktrace, transport, span, opts, metadata) do\n    Bandit.Telemetry.span_exception(span, kind, reason, stacktrace)\n    status = reason |\u003e Plug.Exception.status() |\u003e Plug.Conn.Status.code()\n\n    if status in Keyword.get(opts.http, :log_exceptions_with_status_codes, 500..599) do\n      logger_metadata = Bandit.Logger.logger_metadata_for(kind, reason, stacktrace, metadata)\n      Logger.error(Exception.format(kind, reason, stacktrace), logger_metadata)\n\n      Bandit.HTTPTransport.send_on_error(transport, reason)\n      {:error, reason}\n    else\n      Bandit.HTTPTransport.send_on_error(transport, reason)\n      {:ok, transport}\n    end\n  end\n```\n\nWhen changing the default status code to 500:\n\n```elixir\n    try do\n      apply(module, fun, [body | args])\n    rescue\n      e -\u003e raise Plug.Parsers.ParseError, exception: e, plug_status: 500\n    else\n```\n\nthe connection is closed and the second request is processed successfully:\n\n```\n[info] POST /api\n[error] ** (Plug.Parsers.ParseError) malformed request, a Jason.DecodeError exception was raised with message \"unexpected byte at position 10: 0x62 (\\\"b\\\")\"\n    (parser_test 0.1.0) lib/parser_test_web/json_parser.ex:95: JSON.decode/3\n    (plug 1.16.1) lib/plug/parsers.ex:340: Plug.Parsers.reduce/8\n    (parser_test 0.1.0) lib/parser_test_web/endpoint.ex:1: ParserTestWeb.Endpoint.plug_builder_call/2\n    (parser_test 0.1.0) deps/plug/lib/plug/debugger.ex:136: ParserTestWeb.Endpoint.\"call (overridable 3)\"/2\n    (parser_test 0.1.0) lib/parser_test_web/endpoint.ex:1: ParserTestWeb.Endpoint.call/2\n    (phoenix 1.7.18) lib/phoenix/endpoint/sync_code_reload_plug.ex:22: Phoenix.Endpoint.SyncCodeReloadPlug.do_call/4\n    (bandit 1.6.2) lib/bandit/pipeline.ex:129: Bandit.Pipeline.call_plug!/2\n    (bandit 1.6.2) lib/bandit/pipeline.ex:40: Bandit.Pipeline.run/4\n    (bandit 1.6.2) lib/bandit/http1/handler.ex:12: Bandit.HTTP1.Handler.handle_data/3\n    (bandit 1.6.2) lib/bandit/delegating_handler.ex:18: Bandit.DelegatingHandler.handle_data/3\n    (bandit 1.6.2) lib/bandit/delegating_handler.ex:8: Bandit.DelegatingHandler.handle_continue/2\n    (stdlib 6.0.1) gen_server.erl:2163: :gen_server.try_handle_continue/3\n    (stdlib 6.0.1) gen_server.erl:2072: :gen_server.loop/7\n    (stdlib 6.0.1) proc_lib.erl:329: :proc_lib.init_p_do_apply/3\n\n[info] POST /api\n[debug] Processing with ParserTestWeb.PageController.home/2\n  Parameters: %{\"hello\" =\u003e \"world\"}\n  Pipelines: [:api]\n[info] Sent 200 in 7ms\n\n```\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzookzook%2Fbandit-plug-parser-test","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzookzook%2Fbandit-plug-parser-test","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzookzook%2Fbandit-plug-parser-test/lists"}