Update dependency go to v1.21.5#18
Merged
Merged
Conversation
2 tasks
bootjp
added a commit
that referenced
this pull request
May 15, 2026
Three rounds of routing-section findings converging: 1. Codex r6 P1 (new, line 285): r.URL.Path is the percent-DECODED form, so a check on it cannot distinguish /queues/%2F/messages from /queues//messages — Go decoded %2F to / before path.Clean ran, reopening the same confused-deputy vector the r5 pre-Clean check was supposed to close. Must read r.URL.EscapedPath() instead and explicitly reject %2F (case-insensitive) plus %252F (double-encoded) in the queue-name segment. 2. Claude r6 #16/#18/#19 (still open, blocks Phase 4): the §3.4 pre-Clean paragraph described TWO different mechanisms (split-on-/ vs scan-for-//) that disagreed on /queues/ trailing- slash behavior, claimed /queues/ would be rejected when the consecutive-// scan cannot fire on it, and grammatically contradicted itself on /queues/messages (saying it both rejects AND allows). 3. Claude r6 #17 (still open, blocks Phase 4): test plan §6.4 promised 400 cases for the new pre-Clean check but did not enumerate them. An implementation could ship the bug and pass. 4. Claude r6 stale line number (cosmetic): §3.3 cited adapter/sqs_catalog.go:782 for scanQueueNames; 782 is inside throttleConfigEqual, not the paginated loop. The actual function is scanQueueNamesAt at line 1234. Resolution — single ordered procedure replaces the two competing descriptions: 1. Read EscapedPath() (raw, percent-encoded form). 2. Trim /admin/api/v1/sqs/queues/ prefix, split on /. 3. Validate the queue-name segment: reject (400 ValidationError 'empty queue name segment') when len(segments)==0, segments[0]=="", or url.PathUnescape(segments[0]) decodes to empty (catches %2F, %2f, %252F). 4. Apply path.Clean for trailing-slash normalisation (now safe; no empty segment can move into the queue-name position). 5. Decode sub-resource segments; route by sub-resource shape. Doc now includes two tables — four canonical bad inputs and four canonical good inputs — pinning exactly what the router does for each. The grammar contradiction on /queues/messages is gone (the table makes it explicit: 200 Describe of a queue literally named 'messages', NOT a sub-resource error). §6 item 4 test plan extended with five new 400 cases pinning the empty-segment + percent-encoded-slash rejections. §3.3 line number corrected to 1234. No code in this PR; doc-only update. All Phase-4 blocking items from Claude r6 are resolved; the new Codex r6 P1 (%2F bypass) folded into the same routing procedure rewrite.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.21.4->1.21.5Release Notes
golang/go (go)
v1.21.5Configuration
📅 Schedule: Branch creation - "every weekend" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.