• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

tecnickcom / gogen / 28746980286
100%

Build:
DEFAULT BRANCH: main
Ran 05 Jul 2026 04:19PM UTC
Jobs 1
Files 165
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

05 Jul 2026 04:11PM UTC coverage: 99.945% (+0.001%) from 99.944%
28746980286

push

github

nicolaasuni
feat(httpreverseproxy)!: enforce base-path boundary, redact error logs, and fix forwarding defaults

Harden the reverse-proxy client: validate configuration up front, close a path-traversal gap, stop leaking query secrets into logs, and fix forwarding and transport defaults that broke custom setups and streaming.

Security:
- When the upstream address carries a base path, reject (HTTP 400) any request whose path resolves outside it via "." / ".." before the upstream is contacted; strict by default, opt out with WithLaxBasePath. The configured base path is normalized (path.Clean) so a non-normalized base does not reject every request.
- Never follow upstream redirects: 3xx responses are forwarded verbatim instead of being fetched by the proxy, avoiding an SSRF vector.

Redaction and observability:
- Redact the request query string and the URL embedded in a failed request's *url.Error before logging (configurable via WithRedactFn, default redact.HTTPDataString), and drop the always-empty request_uri field.
- Treat a client that disconnected before the upstream responded (inbound context canceled or deadline exceeded) as a client-closed request, logged at Info with the non-standard 499 code and no 502 written; genuine upstream failures stay a 502 at Error. The distinction is drawn from the inbound context state so an upstream ResponseHeaderTimeout still reports as 502.

Correctness:
- Validate the upstream address in New: require an http/https scheme and a host, returning ErrInvalidAddress instead of building a silently broken proxy from inputs like "" or "localhost:8080".
- Install the default rewrite only when the supplied proxy has neither a Rewrite nor a Director set, so a custom WithReverseProxy Director is no longer overridden by an injected Rewrite that made ReverseProxy reject every request.
- Drop the redundant SetURL call and clear RawPath in the default rewrite so the outbound escaped path is re-derived from the freshly built path.

Transport,... (continued)

178 of 178 new or added lines in 2 files covered. (100.0%)

12699 of 12706 relevant lines covered (99.94%)

138823.25 hits per line

Jobs
ID Job ID Ran Files Coverage
1 28746980286.1 05 Jul 2026 04:19PM UTC 165
99.94
GitHub Action Run
Source Files on build 28746980286
  • Tree
  • List 165
  • Changed 2
  • Source Changed 2
  • Coverage Changed 2
Coverage ∆ File Lines Relevant Covered Missed Hits/Line
  • Back to Repo
  • Github Actions Build #28746980286
  • b12e0edb on github
  • Prev Build on main (#28744525707)
  • Next Build on main (#28751990389)
  • Delete
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc