🐛 bug: prevent panic when MsgPack is not configured

[gaby]

Motivation

• Prevent a remote process-crashing panic when attacker-controlled Content-Type/Accept headers select MsgPack paths while the app did not configure MsgPack, by converting panic stubs into safe error returns.

Description

• Replace panic stubs with a typed error by adding ErrMsgpackNotConfigured and returning it from UnimplementedMsgpackMarshal and UnimplementedMsgpackUnmarshal in binder/msgpack.go.
• Update binder/msgpack_test.go to assert the new error behavior instead of expecting panics.
• The change preserves functionality (MsgPack remains unavailable until configured) while removing the ability for unauthenticated remote requests to crash the process.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 2157e25c-370d-47fb-9750-0514b6184702

📥 Commits

Reviewing files that changed from the base of the PR and between d8d581d and 2fa8169.

📒 Files selected for processing (1)

• internal/memory/memory_test.go

---

Walkthrough

MsgPack binder functions now return exported error ErrMsgPackNotConfigured instead of panicking; tests updated to assert the error. Separately, an internal memory TTL test was changed from a fixed sleep to a polling-based require.Eventually assertion.

Changes

MsgPack Error Handling Refactor

Layer / File(s)	Summary
Error Contract Definition binder/msgpack.go	New exported error ErrMsgPackNotConfigured with documentation URL is defined at package level.
Function Implementation binder/msgpack.go	UnimplementedMsgpackMarshal returns (nil, ErrMsgPackNotConfigured) and UnimplementedMsgpackUnmarshal returns ErrMsgPackNotConfigured instead of panicking.
Tests / Validation binder/msgpack_test.go	Removed panic-focused tests; added tests asserting both functions return ErrMsgPackNotConfigured.

Memory TTL Test Update

Layer / File(s)	Summary
Polling-based TTL Assertion internal/memory/memory_test.go	Replaced Sleep+single Get assertion with require.Eventually polling until stored key is nil or timeout.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• gofiber/fiber#3565: Modifies the same MsgPack binder functions to introduce an exported ErrMsgPackNotConfigured and adjust tests accordingly.

Suggested reviewers

• sixcolors
• ReneWerner87
• efectn

Poem

🐰 No more panics in the night,
Errors returned, clean and right,
MsgPack handlers now behave,
Tests poll gently, no sleep to brave,
A rabbit hops — the trees feel light! ✨

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The PR description clearly explains motivation, implementation approach, and test updates, but does not follow the provided repository template structure.	Restructure the description to follow the repository template: add 'Fixes # (issue)', 'Changes introduced' section with relevant checkboxes, 'Type of change' section, and 'Checklist' items to ensure consistency with contribution guidelines.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies the main change: converting panic behavior to safe error returns when MsgPack is not configured.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-msgpack-default-panic-issue

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.1)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies"

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

binder/msgpack_test.go (1)

92-94: ⚡ Quick win

Assert the marshal return payload is nil alongside the error.

You’re already checking ErrMsgpackNotConfigured; also verifying the []byte result is nil will lock in the full contract and prevent subtle regressions.

Suggested test tweak

-	_, err := UnimplementedMsgpackMarshal(struct{ Name string }{Name: "test"})
+	got, err := UnimplementedMsgpackMarshal(struct{ Name string }{Name: "test"})
+	require.Nil(t, got)
 	require.ErrorIs(t, err, ErrMsgpackNotConfigured)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@binder/msgpack_test.go` around lines 92 - 94, The test currently checks only
the error from UnimplementedMsgpackMarshal; also assert that the returned []byte
payload is nil to enforce the contract: after calling
UnimplementedMsgpackMarshal(struct{ Name string }{Name: "test"}) assert err is
ErrMsgpackNotConfigured and that the first return value is nil (e.g. using
require.Nil or require.Equal(t, nil, payload)) so the test verifies both the
error and that no bytes are returned.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@binder/msgpack_test.go`:
- Around line 92-94: The test currently checks only the error from
UnimplementedMsgpackMarshal; also assert that the returned []byte payload is nil
to enforce the contract: after calling UnimplementedMsgpackMarshal(struct{ Name
string }{Name: "test"}) assert err is ErrMsgpackNotConfigured and that the first
return value is nil (e.g. using require.Nil or require.Equal(t, nil, payload))
so the test verifies both the error and that no bytes are returned.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 15dc1650-64b4-4187-9618-0388c5b8bdc3

📥 Commits

Reviewing files that changed from the base of the PR and between 30b1caa and f96312d.

📒 Files selected for processing (2)

• binder/msgpack.go
• binder/msgpack_test.go

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.25%. Comparing base (30b1caa) to head (2fa8169).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #4268   +/-   ##
=======================================
  Coverage   91.25%   91.25%           
=======================================
  Files         130      130           
  Lines       12753    12753           
=======================================
  Hits        11638    11638           
  Misses        702      702           
  Partials      413      413           

Flag	Coverage Δ
unittests	91.25% <100.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

This PR hardens Fiber’s MsgPack integration by replacing the default “unconfigured MsgPack” panic stubs with safe error returns, preventing attacker-controlled Content-Type/Accept headers from crashing the process when MsgPack isn’t configured.

Changes:

• Introduces a new exported sentinel error and returns it from the MsgPack “unimplemented” marshal/unmarshal stubs instead of panicking.
• Updates MsgPack binder tests to assert error behavior rather than panic behavior.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
binder/msgpack.go	Replaces panic-based MsgPack stubs with a typed exported error return.
binder/msgpack_test.go	Updates tests to validate the new non-panicking error behavior.

[gaby]

@copilot apply changes based on the comments in this thread

[gemini-code-assist]

Code Review

This pull request refactors the MsgPack binder to return an error instead of panicking when the marshaler or unmarshaler is not configured. It introduces a new error variable and updates the test suite accordingly. Review feedback recommends renaming the error variable to ErrMsgPackNotConfigured for consistency, prefixing the error message with the package name, and maintaining consistent casing in documentation comments.

[Copilot]

@copilot apply changes based on the comments in this thread

Applied in d8d581d: renamed the exported error to ErrMsgPackNotConfigured, updated the binder-prefixed error text, and fixed the MsgPack casing in the related comments.

[gaby]

@copilot === FAIL: internal/memory Test_Memory (1.10s)
memory_test.go:34:
Error Trace: /home/runner/work/fiber/fiber/internal/memory/memory_test.go:34
Error: Expected nil, but got: []byte{0x64, 0x6f, 0x65}
Test: Test_Memory

=== FAIL: internal/memory Test_Memory (1.10s)
memory_test.go:34:
Error Trace: /home/runner/work/fiber/fiber/internal/memory/memory_test.go:34
Error: Expected nil, but got: []byte{0x64, 0x6f, 0x65}
Test: Test_Memory

=== FAIL: internal/memory Test_Memory (1.10s)
memory_test.go:34:
Error Trace: /home/runner/work/fiber/fiber/internal/memory/memory_test.go:34
Error: Expected nil, but got: []byte{0x64, 0x6f, 0x65}
Test: Test_Memory

[Copilot]

@copilot === FAIL: internal/memory Test_Memory (1.10s)
memory_test.go:34:
Error Trace: /home/runner/work/fiber/fiber/internal/memory/memory_test.go:34
...

Fixed in 2fa8169. I replaced the fixed 1.1s sleep in internal/memory/Test_Memory with require.Eventually(...) so the TTL assertion waits for expiration instead of racing the timestamp/GC timing seen in the repeated test job.