Skip to content

fix: whitespace in server function .handler() not matching compiler regex #6216

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
schiller-manuel merged 4 commits into from
Dec 25, 2025
Merged

fix: whitespace in server function .handler() not matching compiler regex #6216

schiller-manuel merged 4 commits into from
Dec 25, 2025

Conversation

@kylekz
Copy link
Contributor

@kylekz kylekz commented Dec 25, 2025
edited by coderabbitai bot
Loading

with a server function like so:

const $submitFunction = createServerFn({
  method: 'POST'
})
.middleware([authMiddleware])
.handler(async () => {
  return await db.select().from(songs).limit(1);
});

for whatever reason, vite sometimes passes the transformed code to the start compiler like so:

const $submitFunction = createServerFn({
  method: 'POST'
}).
middleware([authMiddleware]).
handler(async () => {
  return await db.select().from(songs).limit(1);
});

when there's whitespace between . and handler(, the compiler doesn't detect the server function and this can leak server code

Summary by CodeRabbit

  • Bug Fixes

    • Improved compiler detection to recognize both factory-style server-function creation and chained handler usages across varied formatting, reducing false positives without altering public interfaces.

  • Tests

    • Expanded coverage for additional pattern scenarios, whitespace/formatting variants, and to reject similarly named functions.

✏️ Tip: You can customize this high-level summary in your review settings.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Dec 25, 2025
edited
Loading

📝 Walkthrough

Walkthrough

Broadened ServerFn pre-scan detection: the regex now matches createServerFn(...) factory calls and chained .handler(...) usages including whitespace variants. Tests were added for whitespace variants, direct createServerFn detection, and false-positive avoidance; detectKindsInCode import added to tests.

Changes

Cohort / File(s) Summary
Compiler Pattern Detection
packages/start-plugin-core/src/start-compiler-plugin/compiler.ts		 Broadened ServerFn pre-detection regex from /\.handler\s*\(/ to `/\bcreateServerFn\b
Tests / Detection Cases
packages/start-plugin-core/tests/compiler.test.ts		 Added tests for whitespace between . and handler (multiple variants), direct createServerFn() detection, and ensuring no false positives for similarly named identifiers; detectKindsInCode imported alongside StartCompiler.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

Poem

🐰 I hopped through code and regex trails,
Spotted factories and dotted sails,
Spaces, handlers, names made right,
Tests cheered softly in the night,
A rabbit nods — the patterns prevail.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: fixing a regex pattern to detect .handler() calls with whitespace, which is the core issue addressed by broadening the KindDetectionPatterns regex in the compiler.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fb7444c and 016fc61.

📒 Files selected for processing (1)
  • packages/start-plugin-core/src/start-compiler-plugin/compiler.ts
🚧 Files skipped from review as they are similar to previous changes (1)
  • packages/start-plugin-core/src/start-compiler-plugin/compiler.ts

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Dec 25, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
packages/start-plugin-core/src/start-compiler-plugin/compiler.ts (1)

90-90: Critical security fix: LGTM with optional enhancement suggestion.

The regex update correctly addresses the reported security issue where server code could leak to the client when whitespace appears between the dot and handler(). The pattern \.\s*handler\s*\( properly matches method chains with whitespace/newlines, and adding createServerFn\s*\( provides broader coverage for edge cases in reformatted code.

Optional: Add word boundary for more precise matching

Consider adding a word boundary \b before createServerFn to prevent potential false positives like mycreateServerFn():

-  ServerFn: /createServerFn\s*\(|\.\s*handler\s*\(/,
+  ServerFn: /\bcreateServerFn\s*\(|\.\s*handler\s*\(/,

Note: This is a minor improvement since the pre-scan is validated by AST parsing, so the current implementation is acceptable.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8e4cf5b and c4589d0.

📒 Files selected for processing (2)
  • packages/start-plugin-core/src/start-compiler-plugin/compiler.ts
  • packages/start-plugin-core/tests/compiler.test.ts
🧰 Additional context used
📓 Path-based instructions (2)
**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Use TypeScript strict mode with extensive type safety for all code

Files:

  • packages/start-plugin-core/src/start-compiler-plugin/compiler.ts
  • packages/start-plugin-core/tests/compiler.test.ts
**/*.{js,ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Implement ESLint rules for router best practices using the ESLint plugin router

Files:

  • packages/start-plugin-core/src/start-compiler-plugin/compiler.ts
  • packages/start-plugin-core/tests/compiler.test.ts
🧬 Code graph analysis (1)
packages/start-plugin-core/tests/compiler.test.ts (1)
packages/start-plugin-core/src/start-compiler-plugin/compiler.ts (1)
  • detectKindsInCode (146-162)
🔇 Additional comments (2)
packages/start-plugin-core/tests/compiler.test.ts (2)

4-4: Good addition to test API.

Importing detectKindsInCode enables direct testing of the detection patterns, which is appropriate for validating the regex fix.

204-231: Excellent test coverage for the security fix.

These tests thoroughly validate the bug fix and prevent regressions:

  1. Lines 204-213: Directly test the reported issue (whitespace/newlines between . and handler)
  2. Lines 215-222: Validate the complementary improvement (direct createServerFn() detection)
  3. Lines 224-231: Prevent false positives on similarly-named functions like createServerFnExample()

The test cases cover critical edge cases including various whitespace combinations (\n, \t, multiple spaces) that could appear in reformatted code.

@nx-cloud
Copy link

nx-cloud bot commented Dec 25, 2025
edited
Loading

View your CI Pipeline Execution ↗ for commit 016fc61

Command Status Duration Result
nx affected --targets=test:eslint,test:unit,tes... ✅ Succeeded 8m 7s View ↗
nx run-many --target=build --exclude=examples/*... ✅ Succeeded 21s View ↗

☁️ Nx Cloud last updated this comment at 2025-12-25 14:02:19 UTC

@pkg-pr-new
Copy link

pkg-pr-new bot commented Dec 25, 2025
edited
Loading

More templates

@tanstack/arktype-adapter

npm i https://pkg.pr.new/TanStack/router/@tanstack/arktype-adapter@6216

@tanstack/eslint-plugin-router

npm i https://pkg.pr.new/TanStack/router/@tanstack/eslint-plugin-router@6216

@tanstack/history

npm i https://pkg.pr.new/TanStack/router/@tanstack/history@6216

@tanstack/nitro-v2-vite-plugin

npm i https://pkg.pr.new/TanStack/router/@tanstack/nitro-v2-vite-plugin@6216

@tanstack/react-router

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-router@6216

@tanstack/react-router-devtools

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-router-devtools@6216

@tanstack/react-router-ssr-query

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-router-ssr-query@6216

@tanstack/react-start

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-start@6216

@tanstack/react-start-client

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-start-client@6216

@tanstack/react-start-server

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-start-server@6216

@tanstack/router-cli

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-cli@6216

@tanstack/router-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-core@6216

@tanstack/router-devtools

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-devtools@6216

@tanstack/router-devtools-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-devtools-core@6216

@tanstack/router-generator

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-generator@6216

@tanstack/router-plugin

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-plugin@6216

@tanstack/router-ssr-query-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-ssr-query-core@6216

@tanstack/router-utils

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-utils@6216

@tanstack/router-vite-plugin

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-vite-plugin@6216

@tanstack/solid-router

npm i https://pkg.pr.new/TanStack/router/@tanstack/solid-router@6216

@tanstack/solid-router-devtools

npm i https://pkg.pr.new/TanStack/router/@tanstack/solid-router-devtools@6216

@tanstack/solid-router-ssr-query

npm i https://pkg.pr.new/TanStack/router/@tanstack/solid-router-ssr-query@6216

@tanstack/solid-start

npm i https://pkg.pr.new/TanStack/router/@tanstack/solid-start@6216

@tanstack/solid-start-client

npm i https://pkg.pr.new/TanStack/router/@tanstack/solid-start-client@6216

@tanstack/solid-start-server

npm i https://pkg.pr.new/TanStack/router/@tanstack/solid-start-server@6216

@tanstack/start-client-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/start-client-core@6216

@tanstack/start-fn-stubs

npm i https://pkg.pr.new/TanStack/router/@tanstack/start-fn-stubs@6216

@tanstack/start-plugin-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/start-plugin-core@6216

@tanstack/start-server-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/start-server-core@6216

@tanstack/start-static-server-functions

npm i https://pkg.pr.new/TanStack/router/@tanstack/start-static-server-functions@6216

@tanstack/start-storage-context

npm i https://pkg.pr.new/TanStack/router/@tanstack/start-storage-context@6216

@tanstack/valibot-adapter

npm i https://pkg.pr.new/TanStack/router/@tanstack/valibot-adapter@6216

@tanstack/virtual-file-routes

npm i https://pkg.pr.new/TanStack/router/@tanstack/virtual-file-routes@6216

@tanstack/vue-router

npm i https://pkg.pr.new/TanStack/router/@tanstack/vue-router@6216

@tanstack/vue-router-devtools

npm i https://pkg.pr.new/TanStack/router/@tanstack/vue-router-devtools@6216

@tanstack/vue-router-ssr-query

npm i https://pkg.pr.new/TanStack/router/@tanstack/vue-router-ssr-query@6216

@tanstack/vue-start

npm i https://pkg.pr.new/TanStack/router/@tanstack/vue-start@6216

@tanstack/vue-start-client

npm i https://pkg.pr.new/TanStack/router/@tanstack/vue-start-client@6216

@tanstack/vue-start-server

npm i https://pkg.pr.new/TanStack/router/@tanstack/vue-start-server@6216

@tanstack/zod-adapter

npm i https://pkg.pr.new/TanStack/router/@tanstack/zod-adapter@6216

commit: 016fc61

@schiller-manuel schiller-manuel merged commit 94160c7 into TanStack:main Dec 25, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

package: start-plugin-core

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kylekz @schiller-manuel