fix: make content negotiation more resilient to bad input

[danielgtaylor]

This PR fixes a bug that caused a panic in the content negotiation package due to bad input. The code has been modified to be more resilient to bad inputs and updated to not use the -1 sentinel value which could in some cases cause index out of bound errors. Existing tests all pass and the newly added bad inputs also work now, either returning no match or ignoring the bad part of the accept header.

Performance is still good (about 304 -> 335 ns/op) and importantly fast matching remains zero allocation:

$ go test -bench=. ./negotiation
goos: darwin
goarch: arm64
pkg: github.com/danielgtaylor/huma/v2/negotiation
cpu: Apple M3 Pro
BenchmarkMatch-12        	 2725090	       386.2 ns/op	     320 B/op	       8 allocs/op
BenchmarkMatchFast-12    	 3572018	       335.0 ns/op	       0 B/op	       0 allocs/op
PASS
ok  	github.com/danielgtaylor/huma/v2/negotiation	3.218s

Fixes #639.

Summary by CodeRabbit

• New Features

  • Enhanced parsing logic for improved performance and clarity in handling header strings.
  • Introduced a new test case for handling malformed input in the negotiation functionality.

• Bug Fixes

  • Improved accuracy in identifying and processing content type names in header strings.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

The changes made in this pull request focus on optimizing the SelectQValueFast function within the negotiation package. Key modifications include adjustments to the parsing logic for the header string, including changes to variable initialization and condition checks. A new test case, TestMalformedFast, has been added to the negotiation_test.go file to validate the function's handling of malformed input strings, ensuring it does not panic under specific conditions.

Changes

File	Change Summary
negotiation/negotiation.go	Modified SelectQValueFast for improved parsing logic; adjusted variable handling for start, end, name, and whitespace.
negotiation/negotiation_test.go	Added TestMalformedFast to test SelectQValueFast with malformed input strings.

Assessment against linked issues

Objective	Addressed	Explanation
Panic in "SelectQValueFast" on string "a;," (#639)	✅

🐰 "In the garden where we play,
Parsing strings in a better way.
No more panic, just clear delight,
With tests to keep our code just right!
Hopping through logic, swift and fast,
Optimized parsing, built to last!" 🐇

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 92.71%. Comparing base (a74067b) to head (58ddf7d).
Report is 7 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #645      +/-   ##
==========================================
+ Coverage   92.70%   92.71%   +0.01%     
==========================================
  Files          22       22              
  Lines        4879     4888       +9     
==========================================
+ Hits         4523     4532       +9     
  Misses        308      308              
  Partials       48       48              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (5)

negotiation/negotiation_test.go (1)

53-56: LGTM! The test cases effectively cover the reported panic scenario.

The new test function properly validates the fix for issue #639 by testing the malformed input "a;," that previously caused a panic. The additional test case for ",a " is also valuable for ensuring robustness against other malformed inputs.

Consider adding more edge cases to strengthen the test coverage:

 func TestMalformedFast(t *testing.T) {
 	assert.Equal(t, "", SelectQValueFast("a;,", []string{"d", "e"}))
 	assert.Equal(t, "a", SelectQValueFast(",a ", []string{"a", "b"}))
+	// Additional edge cases
+	assert.Equal(t, "", SelectQValueFast("a;;", []string{"a", "b"}))
+	assert.Equal(t, "", SelectQValueFast(";,", []string{"a", "b"}))
+	assert.Equal(t, "a", SelectQValueFast("a;q=invalid", []string{"a", "b"}))
 }

negotiation/negotiation.go (4)

76-79: Consider adding a clarifying comment.

While the logic is correct, the conditions for updating end could be more clearly documented to explain why we exclude comma and whitespace.

 if char != ',' && char != ' ' && char != '\t' {
-    // Update the end if it's not a comma or whitespace (i.e. end of string).
+    // Only update the end position for content characters, excluding separators
+    // and whitespace. This ensures clean boundaries for the parsed value and
+    // handles cases where the input ends with separators.
     end = pos
 }

---

86-89: Consider validating q-value range.

While the parsing is more resilient, q-values should typically be between 0 and 1. Consider validating this range.

 if len(header) > end+1 {
-    if parsed, _ := strconv.ParseFloat(header[start+2:end+1], 64); parsed > 0 {
+    if parsed, _ := strconv.ParseFloat(header[start+2:end+1], 64); parsed >= 0 && parsed <= 1 {
         q = parsed
     }
 }

---

118-122: Consider a minor performance optimization.

The current whitespace handling is correct but does multiple position updates. Consider combining the conditions:

-if char != ' ' && char != '\t' {
-    // Only advance end if it's not whitespace.
-    end = pos
-    if header[start] == ' ' || header[start] == '\t' {
-        // Trim leading whitespace.
-        start = pos
-    }
+if char != ' ' && char != '\t' {
+    end = pos
+    // Trim leading whitespace in one check
+    start = min(start, pos)
 }

---

Line range hint 61-122: Good architectural approach to error handling.

The changes follow the robustness principle (Postel's Law) by being liberal in what is accepted while maintaining strict output requirements. The zero-allocation goal is preserved while making the code more resilient.

A few suggestions for future improvements:

1. Consider adding logging for malformed inputs to help identify client issues
2. Document the exact format requirements in package documentation
3. Consider adding fuzzing tests to catch more edge cases

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between a74067b and b2fd70c.

📒 Files selected for processing (2)

• negotiation/negotiation.go (2 hunks)
• negotiation/negotiation_test.go (1 hunks)

🔇 Additional comments (5)

negotiation/negotiation.go (5)

62-62: Good improvement: Removed sentinel value.

Initializing start to 0 instead of -1 eliminates a potential source of index out of bounds errors while maintaining the same functionality.

---

69-70: Fixed: Proper handling of semicolon boundaries.

The updated positioning logic correctly handles malformed input like "a;," by ensuring proper start/end positions after encountering a semicolon.

---

92-93: Good: Proper position reset logic.

The position updates correctly handle the transition between segments, including empty ones.

---

105-105: Good: Proper state management.

The explicit name resets prevent state from leaking between iterations, making the parser more reliable.

Also applies to: 113-113

---

80-84: Consider adding input validation.

While the name parsing is more robust, consider validating the name content before using it. Empty or whitespace-only names could still be processed.

 if name == "" {
     // No name yet means we did not encounter a `;`. Either this is a `,`
     // or the end of the string so whatever we have is the name.
     // Example: "a, b, c"
-    name = header[start : end+1]
+    name = strings.TrimSpace(header[start : end+1])
+    if name == "" {
+        continue  // Skip empty segments
+    }
 }