fix(helpers): fix DecodeURIIfNeeded idempotence for '?' and '#' in URIs#708
fix(helpers): fix DecodeURIIfNeeded idempotence for '?' and '#' in URIs#708wizzomafizzo merged 1 commit intomainfrom
Conversation
Custom-scheme branch: re-encode '?' and '#' after url.PathUnescape (in addition to '/') so that decoded gen-delims don't become structural separators on a second parse pass. Fixes crash on steAm://%2F%3F where %3F decoded to a literal '?' that was then parsed as a query separator. http/https branch: extract fragment via the first '#' in the raw URI before calling ParseURIComponents. Per RFC 3986, '#' takes precedence over '?', so a fragment containing '?' would be mis-parsed as a query separator on the second decode pass. Fixes crash on http://?#?#%. Adds regression corpus files from issues #690 and #706.
📝 WalkthroughWalkthroughThis PR fixes a crash discovered in nightly fuzz tests by enhancing URI decoding logic to properly re-encode special delimiter characters ( Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
pkg/helpers/uris_test.go (1)
339-420: Add an explicit table case forhttp://?#?#%in this unit test block.The fuzz seed is great for reproduction, but pinning the expected decoded string here would make CI regressions easier to diagnose without fuzz context.
As per coding guidelines, "Write tests for all new code — use testify/mock, sqlmock, afero, and patterns from pkg/testing/".
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@pkg/helpers/uris_test.go` around lines 339 - 420, Add a new table entry to the tests slice inside TestDecodeURIIfNeeded_EdgeCases for the fuzz seed input "http://?#?#%" so CI pins the expected output; e.g. add { name: "http_fuzz_seed_question_marks", input: "http://?#?#%", expected: "http://?#?#%" } alongside the other cases in the tests variable used by TestDecodeURIIfNeeded_EdgeCases to ensure the decoder's behavior for that edge-case is explicitly asserted.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@pkg/helpers/uris_test.go`:
- Around line 339-420: Add a new table entry to the tests slice inside
TestDecodeURIIfNeeded_EdgeCases for the fuzz seed input "http://?#?#%" so CI
pins the expected output; e.g. add { name: "http_fuzz_seed_question_marks",
input: "http://?#?#%", expected: "http://?#?#%" } alongside the other cases in
the tests variable used by TestDecodeURIIfNeeded_EdgeCases to ensure the
decoder's behavior for that edge-case is explicitly asserted.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 91356531-9422-4b28-b2bb-340c9db3edf2
📒 Files selected for processing (4)
pkg/helpers/testdata/fuzz/FuzzDecodeURIIfNeeded/b1dd9e28e8156f0dpkg/helpers/testdata/fuzz/FuzzDecodeURIIfNeeded/ecaa49a609591b96pkg/helpers/uris.gopkg/helpers/uris_test.go
Fixes #690 and #706 — nightly fuzz crashes in
FuzzDecodeURIIfNeeded.Both inputs violated the idempotence property (
decode(decode(x)) == decode(x)).Custom-scheme branch (
steAm://%2F%3F):%3Fdecoded to a literal?, which was then parsed as a query separator on the second pass. Fix: extend the segment re-encoder to escape?→%3Fand#→%23in addition to/.http/https branch (
http://?#?#%): Per RFC 3986,#introduces the fragment and takes precedence over?. The old code extracted the fragment from the query string after the fact, so a fragment containing?was misread as a query separator on the second parse. Fix: extract fragment from the raw URI (split on first#) before callingParseURIComponents.Regression corpus files from both issues are included.
Summary by CodeRabbit
Bug Fixes
Tests