Skip to content

Sec/lens4 headers#459

Merged
fredbi merged 3 commits into
go-openapi:masterfrom
fredbi:sec/lens4-headers
May 16, 2026
Merged

Sec/lens4 headers#459
fredbi merged 3 commits into
go-openapi:masterfrom
fredbi:sec/lens4-headers

Conversation

@fredbi
Copy link
Copy Markdown
Member

@fredbi fredbi commented May 15, 2026
edited
Loading

Change type

Please select: 🆕 New feature or enhancement|🔧 Bug fix'|📃 Documentation update

Short description

Fixes

Full description

Checklist

  • I have signed all my commits with my name and email (see DCO. This does not require a PGP-signed commit
  • I have rebased and squashed my work, so only one commit remains
  • I have added tests to cover my changes.
  • I have properly enriched go doc comments in code.
  • I have properly documented any breaking change.

fredbi and others added 3 commits May 16, 2026 22:25
@fredbi @claude
fix(negotiate/header): reject q-values greater than 1
0fd96a1 
RFC 7231 §5.3.1 defines qvalue as a fraction in [0, 1]: when the
leading digit is "1", the only valid decimal portion is "0",
"00" or "000". expectQuality previously accepted inputs like
"1.1" or "1.9" verbatim and returned values > 1, letting a
malformed Accept entry artificially boost its priority above
all properly-formed offers.

The fix surfaces the malformed input via the existing q < 0
sentinel; ParseAccept and ParseAccept2 inherit the rejection.

Found by FuzzParseAccept (lens 4 of the security scrub). The
"0;q=1.1" minimised input is persisted under testdata/fuzz/ as
a regression seed.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Frederic BIDON <fredbi@yahoo.com>
@fredbi @claude
test(security): fuzz targets for header-parsing surface
481a274 
Lands seven fuzz targets covering the header-parsing surface of
the security scrub (lens 4):

- runtime.ContentType
- mediatype.Parse / mediatype.MatchFirst / mediatype.ParseAccept
- negotiate/header.parseValueAndParams / ParseAccept / ParseList

Each target carries a seed corpus of edge cases (malformed
quoting, multi-byte sequences, oversized inputs, invalid q-values,
trailing-semicolon and comma anomalies) plus per-target invariants
(non-zero MediaType only on success; Q in [0,1]; non-empty params
keys; no empty list entries).

CI auto-discovers FuzzXxx via the shared go-test-monorepo workflow.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Frederic BIDON <fredbi@yahoo.com>
@fredbi
fix(ci): fix fuzzing workflow
e5ad065 
Signed-off-by: Frederic BIDON <fredbi@yahoo.com>
@fredbi fredbi force-pushed the sec/lens4-headers branch from 8ba0180 to e5ad065 Compare May 16, 2026 21:10
@codecov
Copy link
Copy Markdown

codecov Bot commented May 16, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.15%. Comparing base (4b21532) to head (e5ad065).
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #459      +/-   ##
==========================================
+ Coverage   83.14%   83.15%   +0.01%     
==========================================
  Files          62       62              
  Lines        4473     4476       +3     
==========================================
+ Hits         3719     3722       +3     
  Misses        582      582              
  Partials      172      172

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@fredbi fredbi merged commit acb8b1c into go-openapi:master May 16, 2026
27 checks passed
@fredbi fredbi deleted the sec/lens4-headers branch May 16, 2026 21:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fredbi