rodin/review-bot
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

feat(github): add safeguards against accidental AllowInsecureHTTP use (#96) #113

Merged
aweiker merged 6 commits from review-bot-issue-96 into main 2026-05-13 20:21:42 +00:00
Conversation 49 Commits 6 Files Changed 3
+5 -6
2 changed files with 5 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit ab2a6c8aef - Show all commits
github/client.go
+1 -2
View File
1
 @@ -155,7 +155,7 @@ type clientConfig struct {
// environment variable. Without the env var set, the option is ignored // environment variable. Without the env var set, the option is ignored
// and a warning is logged. // and a warning is logged.
// //
sonnet-review-bot commented 2026-05-13 18:45:29 +00:00
Review
Copy Link
Copy Source

[MINOR] AllowInsecureHTTPForTest is in the production file (client.go). Per the convention, test-only helpers should ideally live in an export_test.go file or be clearly gated. Since this function is exported and intended exclusively for test code, it bleeds test surface into the production API. Consider moving it to a file compiled only during tests (e.g., export_test.go), or renaming to make its test-only nature even more prominent in godoc.

**[MINOR]** AllowInsecureHTTPForTest is in the production file (client.go). Per the convention, test-only helpers should ideally live in an export_test.go file or be clearly gated. Since this function is exported and intended exclusively for test code, it bleeds test surface into the production API. Consider moving it to a file compiled only during tests (e.g., export_test.go), or renaming to make its test-only nature even more prominent in godoc.
// For tests, use AllowInsecureHTTPForTest (defined in export_test.go) which bypasses the env gate. // For tests, use AllowInsecureHTTPForTest (defined in a _test.go file in the same package) which bypasses the env gate.
func AllowInsecureHTTP() ClientOption { func AllowInsecureHTTP() ClientOption {
return func(cfg *clientConfig) { return func(cfg *clientConfig) {
gpt-review-bot commented 2026-05-13 18:26:41 +00:00
Review
Copy Link
Copy Source

[MINOR] AllowInsecureHTTPForTest is exported but intended only for tests. Consider making it unexported (allowInsecureHTTPForTest) and using it from package-internal tests, or clearly document and enforce via build tags/export_test.go if cross-package tests require it, to reduce risk of accidental production use.

**[MINOR]** AllowInsecureHTTPForTest is exported but intended only for tests. Consider making it unexported (allowInsecureHTTPForTest) and using it from package-internal tests, or clearly document and enforce via build tags/export_test.go if cross-package tests require it, to reduce risk of accidental production use.
gpt-review-bot commented 2026-05-13 20:06:24 +00:00
Review
Copy Link
Copy Source

[NIT] For functional options, consider a With* naming convention (e.g., WithInsecureHTTP) to align with common Go patterns and improve discoverability (see configuration.md, Functional Options).

**[NIT]** For functional options, consider a With* naming convention (e.g., WithInsecureHTTP) to align with common Go patterns and improve discoverability (see configuration.md, Functional Options).
cfg.allowInsecureHTTP = true cfg.allowInsecureHTTP = true
8
 @@ -272,7 +272,6 @@ func redactURL(rawURL string) string {
if u.RawQuery != "" { if u.RawQuery != "" {
u.RawQuery = "<redacted>" u.RawQuery = "<redacted>"
} }
u.Fragment = ""
return u.String() return u.String()
} }
5
github/client_test.go
+4 -4
View File
3
 @@ -547,8 +547,8 @@ func TestNoInsecureOption_RejectsHTTP(t *testing.T) {
func TestNoInsecureOption_RejectsUppercaseHTTP(t *testing.T) { func TestNoInsecureOption_RejectsUppercaseHTTP(t *testing.T) {
// Verify case-insensitive scheme check (RFC 3986). // Verify case-insensitive scheme check (RFC 3986).
c := NewClient("tok", "HTTP://example.com") c := NewClient("tok", "HTTP://127.0.0.1:1")
_, err := c.doGet(context.Background(), "HTTP://example.com/test") _, err := c.doGet(context.Background(), "HTTP://127.0.0.1:1/test")
if err == nil { if err == nil {
t.Fatal("expected error for uppercase HTTP scheme") t.Fatal("expected error for uppercase HTTP scheme")
} }
sonnet-review-bot commented 2026-05-13 18:36:00 +00:00
Review
Copy Link
Copy Source

[NIT] Missing blank line between TestNoInsecureOption_RejectsHTTP and TestNoInsecureOption_RejectsUppercaseHTTP — minor formatting inconsistency compared to the rest of the file, but gofmt doesn't enforce blank lines between top-level declarations in the same way.

**[NIT]** Missing blank line between `TestNoInsecureOption_RejectsHTTP` and `TestNoInsecureOption_RejectsUppercaseHTTP` — minor formatting inconsistency compared to the rest of the file, but `gofmt` doesn't enforce blank lines between top-level declarations in the same way.
@@ -559,8 +559,8 @@ func TestNoInsecureOption_RejectsUppercaseHTTP(t *testing.T) {
func TestNoInsecureOption_RejectsMixedCaseHTTP(t *testing.T) { func TestNoInsecureOption_RejectsMixedCaseHTTP(t *testing.T) {
// Verify mixed case like "Http://" is also rejected. // Verify mixed case like "Http://" is also rejected.
c := NewClient("tok", "Http://example.com") c := NewClient("tok", "Http://127.0.0.1:1")
_, err := c.doGet(context.Background(), "Http://example.com/test") _, err := c.doGet(context.Background(), "Http://127.0.0.1:1/test")
if err == nil { if err == nil {
t.Fatal("expected error for mixed-case HTTP scheme") t.Fatal("expected error for mixed-case HTTP scheme")
} }
1