fix: avoid false CLAIMED for message-type sites on server errors#3012
Open
ardittirana wants to merge 1 commit into
Open
fix: avoid false CLAIMED for message-type sites on server errors#3012ardittirana wants to merge 1 commit into
ardittirana wants to merge 1 commit into
Conversation
For "message" detection, the absence of the not-found error string was treated as proof the username exists, without checking the HTTP status. When a site's endpoint returned a 5xx, the error body lacked the configured errorMsg, so the username was reported as Claimed (a false positive). The message-type decision is moved into check_message_query_status, which now returns UNKNOWN on a 5xx response instead of CLAIMED. Adds offline unit tests for the available, claimed, server-error, and list-of-messages cases. Closes sherlock-project#2950
Author
|
Since the upstream 5xx in #2950 is intermittent and hard to reproduce on demand, here is a deterministic way to confirm the behavior change without waiting for a real outage. It exercises the extracted decision directly: from sherlock_project.sherlock import check_message_query_status
# "not found" signal present -> username is available
print(check_message_query_status('{"valid":true}', '"valid":true', 200)) # Available
# signal absent on a real 200 -> claimed (unchanged behavior)
print(check_message_query_status('{"status":"success"}', '"valid":true', 200)) # Claimed
# signal absent because the server errored (502) -> previously Claimed (false positive), now Unknown
print(check_message_query_status('Bad Gateway', '"valid":true', 502)) # UnknownOn Happy to gate on all non-2xx instead of only 5xx if you'd prefer a stricter rule; I kept it to server errors to stay conservative and match the report. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
For
message-type detection, Sherlock concluded a username was Claimed whenever the configurederrorMsgwas absent from the response body, without checking the HTTP status. When a site endpoint intermittently returns a 5xx, the error body does not containerrorMsg, so the username was reported as a false positive (Claimed).This is the general cause behind #2950 (
minds), and it affects anymessage-type site during a server error.What changed
The
message-type decision is extracted intocheck_message_query_status, which returnsAVAILABLEwhen the not-found message is present,UNKNOWNon a 5xx response (the body cannot be trusted), andCLAIMEDotherwise. Thestatus_codeandresponse_urlbranches already gate on HTTP status; this bringsmessagein line with them.Tests
Added offline unit tests in
tests/test_message_query_status.pyfor the available, claimed, server-error, and list-of-messages cases. The server-error test reproduces the false positive on current code and passes with this change. Full offline suite (-m "not online") passes.Closes #2950