Fix nil pointer dereference with malformed URLs when tracing is enabled (#1055)

Author: Peakz

fasthttp/sentryfasthttp.go

@@ -152,9 +152,11 @@ func convert(ctx *fasthttp.RequestCtx) *http.Request {
 	r.Method = string(ctx.Method())
 
 	uri := ctx.URI()
-	url, err := url.Parse(fmt.Sprintf("%s://%s%s", uri.Scheme(), uri.Host(), uri.Path()))
-	if err == nil {
-		r.URL = url
+	r.URL = &url.URL{Path: string(uri.Path())}
+	r.URL.RawQuery = string(uri.QueryString())
+
+	if parsedURL, err := url.Parse(fmt.Sprintf("%s://%s%s", uri.Scheme(), uri.Host(), uri.Path())); err == nil {
+		r.URL = parsedURL
 		r.URL.RawQuery = string(uri.QueryString())
 	}
 

fasthttp/sentryfasthttp_test.go

@@ -571,3 +571,35 @@ func TestSetHubOnContext(t *testing.T) {
 		t.Fatalf("expected hub to be %v, but got %v", hub, retrievedHub)
 	}
 }
+
+// TestMalformedURLNoPanic verifies that malformed URLs don't cause panics
+// when tracing is enabled
+func TestMalformedURLNoPanic(t *testing.T) {
+	err := sentry.Init(sentry.ClientOptions{
+		EnableTracing:    true,
+		TracesSampleRate: 1.0,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	sentryHandler := sentryfasthttp.New(sentryfasthttp.Options{})
+
+	handler := sentryHandler.Handle(func(ctx *fasthttp.RequestCtx) {
+		ctx.SetStatusCode(fasthttp.StatusOK)
+		ctx.SetBodyString("OK")
+	})
+
+	ctx := &fasthttp.RequestCtx{}
+	ctx.Request.SetRequestURI("http://localhost/%zz")
+	ctx.Request.Header.SetMethod("GET")
+	ctx.Request.SetHost("localhost")
+	ctx.Request.Header.Set("User-Agent", "fasthttp")
+
+	handler(ctx)
+
+	// Should complete successfully without panic
+	if ctx.Response.StatusCode() != fasthttp.StatusOK {
+		t.Errorf("Expected 200, got %d", ctx.Response.StatusCode())
+	}
+}

fiber/sentryfiber.go

@@ -152,9 +152,11 @@ func convert(ctx *fiber.Ctx) *http.Request {
 	r.Method = utils.CopyString(ctx.Method())
 
 	uri := ctx.Request().URI()
-	url, err := url.Parse(fmt.Sprintf("%s://%s%s", uri.Scheme(), uri.Host(), uri.Path()))
-	if err == nil {
-		r.URL = url
+	r.URL = &url.URL{Path: string(uri.Path())}
+	r.URL.RawQuery = string(uri.QueryString())
+
+	if parsedURL, err := url.Parse(fmt.Sprintf("%s://%s%s", uri.Scheme(), uri.Host(), uri.Path())); err == nil {
+		r.URL = parsedURL
 		r.URL.RawQuery = string(uri.QueryString())
 	}
 

fiber/sentryfiber_test.go

@@ -4,6 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"net/url"
 	"reflect"
 	"strings"
 	"testing"
@@ -594,3 +595,40 @@ func TestSetHubOnContext(t *testing.T) {
 		t.Fatalf("Expected status code %d, got %d", http.StatusOK, resp.StatusCode)
 	}
 }
+
+// TestMalformedURLNoPanic verifies that malformed URLs don't cause panics
+// when tracing is enabled,
+func TestMalformedURLNoPanic(t *testing.T) {
+	err := sentry.Init(sentry.ClientOptions{
+		EnableTracing:    true,
+		TracesSampleRate: 1.0,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	app := fiber.New()
+	app.Use(sentryfiber.New(sentryfiber.Options{Timeout: 3 * time.Second, WaitForDelivery: true}))
+
+	app.Get("/*", func(c *fiber.Ctx) error {
+		return c.SendString("OK")
+	})
+
+	req := &http.Request{
+		Method: "GET",
+		URL:    &url.URL{Scheme: "http", Host: "localhost", Path: "/%zz"},
+		Header: make(http.Header),
+		Host:   "localhost",
+	}
+	req.Header.Set("User-Agent", "fiber")
+
+	resp, err := app.Test(req)
+	if err != nil {
+		t.Fatalf("Request failed: %v", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("Expected 200, got %d", resp.StatusCode)
+	}
+}