fix(helpers): resolve fuzz crashes in DecodeURIIfNeeded and FilenameFromPath#681
Merged
wizzomafizzo merged 1 commit intomainfrom Apr 16, 2026
Merged
fix(helpers): resolve fuzz crashes in DecodeURIIfNeeded and FilenameFromPath#681wizzomafizzo merged 1 commit intomainfrom
wizzomafizzo merged 1 commit intomainfrom
Conversation
…romPath - Add UTF-8 validity check after url.PathUnescape to prevent invalid byte sequences in decoded URIs (e.g. %80 decoding to \x80) - Rewrite custom scheme decoding to process segments individually, preserving unencoded slash structure while re-encoding decoded %2F - Guard against path.Base returning "/" or "." for root-like paths - Use TrimRight instead of TrimSuffix for trailing slash removal in ParseVirtualPathStr for consistent multi-slash handling - Add crash corpus files from nightly fuzz runs Fixes #675, fixes #667
📝 WalkthroughWalkthroughAdds regression test cases from nightly fuzz crashes to test corpus and fixes URI decoding, filename extraction, and virtual path parsing logic to properly validate UTF-8, handle percent-encoded slashes, and trim trailing slashes correctly. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Poem
🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (1 warning, 1 inconclusive)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (1)
pkg/helpers/uris.go (1)
191-196: Consider adding debug log for UTF-8 validation failures.When
url.PathUnescapesucceeds but the result is invalid UTF-8, the code silently falls back to the original path. For consistency with the error logging on line 195, consider logging this case as well.Optional: Add debug log for UTF-8 validation failure
if pathPart != "" { decoded, err := url.PathUnescape(pathPart) if err == nil && utf8.ValidString(decoded) { decodedPath = decoded } else if err != nil { log.Debug().Err(err).Str("uri", uri).Msg("failed to decode web URI path, using as-is") + } else { + log.Debug().Str("uri", uri).Msg("decoded path is invalid UTF-8, using as-is") } }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@pkg/helpers/uris.go` around lines 191 - 196, The code path in the url.PathUnescape handling in pkg/helpers/uris.go silently ignores cases where unescape succeeds but the decoded string is not valid UTF-8; update the block around decoded, err := url.PathUnescape(pathPart) in the function handling URI path decoding to add a debug log when utf8.ValidString(decoded) is false (e.g., log.Debug().Str("uri", uri).Str("decoded", decoded).Msg("decoded web URI path is not valid UTF-8, using original path")), keeping the existing error log for err != nil intact.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@pkg/helpers/uris.go`:
- Around line 191-196: The code path in the url.PathUnescape handling in
pkg/helpers/uris.go silently ignores cases where unescape succeeds but the
decoded string is not valid UTF-8; update the block around decoded, err :=
url.PathUnescape(pathPart) in the function handling URI path decoding to add a
debug log when utf8.ValidString(decoded) is false (e.g., log.Debug().Str("uri",
uri).Str("decoded", decoded).Msg("decoded web URI path is not valid UTF-8, using
original path")), keeping the existing error log for err != nil intact.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 414620fe-b901-4166-9eaf-1193097d8f94
📒 Files selected for processing (7)
pkg/helpers/testdata/fuzz/FuzzDecodeURIIfNeeded/2f33ed11876b7a01pkg/helpers/testdata/fuzz/FuzzDecodeURIIfNeeded/4ec218b9e58eabecpkg/helpers/testdata/fuzz/FuzzDecodeURIIfNeeded/5e5f04a1d77ed26apkg/helpers/testdata/fuzz/FuzzFilenameFromPath/c8a94dd46f34b25fpkg/helpers/uris.gopkg/helpers/uris_test.gopkg/helpers/virtualpath/virtualpath.go
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
This was referenced Apr 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
DecodeURIIfNeededproducing invalid UTF-8 whenurl.PathUnescapedecodes bytes like%80to non-UTF-8 sequencesDecodeURIIfNeededidempotence failures for custom schemes by decoding path segments individually, preserving unencoded slash structure while re-encoding decoded%2FFilenameFromPathreturning"/"for inputs like"//"wherepath.Basereturns a separatorParseVirtualPathStrinconsistent trailing slash handling (TrimSuffix→TrimRight)Fixes #675, fixes #667
Summary by CodeRabbit
Tests
Bug Fixes