From 136e2e6ac2db5035851c9bf57b0b14e736c3b231 Mon Sep 17 00:00:00 2001 From: 0xallam Date: Mon, 25 May 2026 00:29:27 -0700 Subject: [PATCH] Document HTTPQL footguns on list_requests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Three gotchas that bite the model once per scan if uncovered: - HTTPQL has no NOT operator. Naive `NOT req.path.cont:"/static"` is a parse error. The negated-operator variants (`ne`, `ncont`, `nlike`, `nregex`) are the only way to negate. - Strings must be quoted, integers must not. `resp.code.eq:"200"` parses as a string-vs-int mismatch. - A bare quoted literal searches both `req.raw` and `resp.raw` — useful primitive we never surfaced. All three land in the model-visible tool description. Co-Authored-By: Claude Opus 4.7 (1M context) --- strix/tools/proxy/tools.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/strix/tools/proxy/tools.py b/strix/tools/proxy/tools.py index f6ab5b3..7d39be9 100644 --- a/strix/tools/proxy/tools.py +++ b/strix/tools/proxy/tools.py @@ -140,6 +140,18 @@ async def list_requests( Pagination is cursor-based. Pass the ``end_cursor`` from the ``page_info`` of one call as ``after`` to the next. + Notes: + + - HTTPQL has **no ``NOT`` operator**. Use the negated form of the + operator instead: ``ne``, ``ncont``, ``nlike``, ``nregex`` + (e.g. ``req.path.ncont:"/static"`` to exclude static paths). + - String values **must be quoted**; integer values **must not**. + ``resp.code.eq:200`` is right; ``resp.code.eq:"200"`` is a parse + error. Same rule for ``cont`` / ``regex`` strings. + - A bare quoted string searches both ``req.raw`` and ``resp.raw``, + handy for sensitive-data sweeps: + ``"password" OR "secret" OR "api_key"``. + Args: httpql_filter: Caido HTTPQL query (optional). first: Number of entries to return (default 50).