fix(helpers): fix DecodeURIIfNeeded idempotence for '?' and '#' in URIs#708
Merged
wizzomafizzo merged 1 commit intomainfrom Apr 18, 2026
Merged
fix(helpers): fix DecodeURIIfNeeded idempotence for '?' and '#' in URIs#708wizzomafizzo merged 1 commit intomainfrom
wizzomafizzo merged 1 commit intomainfrom
Conversation
Custom-scheme branch: re-encode '?' and '#' after url.PathUnescape (in addition to '/') so that decoded gen-delims don't become structural separators on a second parse pass. Fixes crash on steAm://%2F%3F where %3F decoded to a literal '?' that was then parsed as a query separator. http/https branch: extract fragment via the first '#' in the raw URI before calling ParseURIComponents. Per RFC 3986, '#' takes precedence over '?', so a fragment containing '?' would be mis-parsed as a query separator on the second decode pass. Fixes crash on http://?#?#%. Adds regression corpus files from issues #690 and #706.
📝 WalkthroughWalkthroughThis PR fixes a crash discovered in nightly fuzz tests by enhancing URI decoding logic to properly re-encode special delimiter characters ( Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (1)
pkg/helpers/uris_test.go (1)
339-420: Add an explicit table case forhttp://?#?#%in this unit test block.The fuzz seed is great for reproduction, but pinning the expected decoded string here would make CI regressions easier to diagnose without fuzz context.
As per coding guidelines, "Write tests for all new code — use testify/mock, sqlmock, afero, and patterns from pkg/testing/".
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@pkg/helpers/uris_test.go` around lines 339 - 420, Add a new table entry to the tests slice inside TestDecodeURIIfNeeded_EdgeCases for the fuzz seed input "http://?#?#%" so CI pins the expected output; e.g. add { name: "http_fuzz_seed_question_marks", input: "http://?#?#%", expected: "http://?#?#%" } alongside the other cases in the tests variable used by TestDecodeURIIfNeeded_EdgeCases to ensure the decoder's behavior for that edge-case is explicitly asserted.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@pkg/helpers/uris_test.go`:
- Around line 339-420: Add a new table entry to the tests slice inside
TestDecodeURIIfNeeded_EdgeCases for the fuzz seed input "http://?#?#%" so CI
pins the expected output; e.g. add { name: "http_fuzz_seed_question_marks",
input: "http://?#?#%", expected: "http://?#?#%" } alongside the other cases in
the tests variable used by TestDecodeURIIfNeeded_EdgeCases to ensure the
decoder's behavior for that edge-case is explicitly asserted.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 91356531-9422-4b28-b2bb-340c9db3edf2
📒 Files selected for processing (4)
pkg/helpers/testdata/fuzz/FuzzDecodeURIIfNeeded/b1dd9e28e8156f0dpkg/helpers/testdata/fuzz/FuzzDecodeURIIfNeeded/ecaa49a609591b96pkg/helpers/uris.gopkg/helpers/uris_test.go
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #690 and #706 — nightly fuzz crashes in
FuzzDecodeURIIfNeeded.Both inputs violated the idempotence property (
decode(decode(x)) == decode(x)).Custom-scheme branch (
steAm://%2F%3F):%3Fdecoded to a literal?, which was then parsed as a query separator on the second pass. Fix: extend the segment re-encoder to escape?→%3Fand#→%23in addition to/.http/https branch (
http://?#?#%): Per RFC 3986,#introduces the fragment and takes precedence over?. The old code extracted the fragment from the query string after the fact, so a fragment containing?was misread as a query separator on the second parse. Fix: extract fragment from the raw URI (split on first#) before callingParseURIComponents.Regression corpus files from both issues are included.
Summary by CodeRabbit
Bug Fixes
Tests