🐛 bug: prevent panic when CBOR is not explicitly configured

[gaby]

Motivation

• A previous refactor replaced the default CBOR marshal/unmarshal with panic-only stubs which made Bind().Body reachable panic via an attacker-controlled Content-Type: application/cbor header.
• The change preserves CBOR as opt-in but must not allow a panic to be triggered from normal request dispatch paths.

Description

• Replace panic stubs in binder/cbor.go with an errUnimplementedCBOR error and make UnimplementedCborMarshal/UnimplementedCborUnmarshal return that error instead of calling panic.
• Update binder/cbor_test.go to assert error-return behavior for the unimplemented CBOR helpers rather than expecting panics.
• This is a minimal remediation that preserves opt-in semantics while ensuring failures propagate as errors handled by existing Fiber error paths.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 6764f98c-7f5f-4364-ade1-7b1f524710da

📥 Commits

Reviewing files that changed from the base of the PR and between 179aac3 and e2e7588.

📒 Files selected for processing (1)

• binder/cbor.go

🚧 Files skipped from review as they are similar to previous changes (1)

• binder/cbor.go

---

Walkthrough

Replace panic-based CBOR stubs with an exported sentinel error ErrUnimplementedCBOR; update UnimplementedCborMarshal/UnimplementedCborUnmarshal to return that error and adjust tests to assert ErrUnimplementedCBOR instead of expecting panics.

Changes

CBOR Error Handling

Layer / File(s)	Summary
Errors Import binder/cbor.go	Add errors import required to create the sentinel error.
Error Sentinel binder/cbor.go	Add exported ErrUnimplementedCBOR sentinel error value.
Function Implementation binder/cbor.go	UnimplementedCborMarshal now returns (nil, ErrUnimplementedCBOR); UnimplementedCborUnmarshal returns ErrUnimplementedCBOR.
Tests binder/cbor_test.go	Remove panic-based tests; add Test_UnimplementedCborMarshal_ReturnsError and Test_UnimplementedCborUnmarshal_ReturnsError asserting ErrUnimplementedCBOR.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• gofiber/fiber#3580: Directly modifies the same CBOR unimplemented stubs and is related to CBOR binding behavior.

Suggested reviewers

• sixcolors
• ReneWerner87
• efectn

Poem

🐰 I used to panic in the night,
Now I return a gentler light.
A sentinel error, neat and small,
Lets callers handle it—no more fall.
The binder hops, composed and bright.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The description clearly outlines motivation, changes, and technical details, but does not follow the template structure with required sections like 'Changes introduced' checklist or 'Type of change'.	Consider organizing the description according to the repository template with explicit sections for 'Changes introduced' and 'Type of change' selections to improve consistency.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'bug: prevent panic when CBOR is not explicitly configured' clearly summarizes the main change—replacing panic stubs with error returns for CBOR handling.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-panic-trigger-from-cbor-content-type

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.1)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies"

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

binder/cbor_test.go (1)

93-98: ⚡ Quick win

Prefer sentinel-based assertions over exact error-string matching.

These tests are less brittle if they assert errors.Is semantics (require.ErrorIs) against errUnimplementedCBOR. Also consider asserting marshal output is nil when erroring.

Proposed test refinement

 func Test_UnimplementedCborMarshal_ReturnsError(t *testing.T) {
 	t.Parallel()

-	_, err := UnimplementedCborMarshal(struct{ Name string }{Name: "test"})
-	require.EqualError(t, err, "must explicitly setup CBOR, please check docs: https://docs.gofiber.io/next/guide/advance-format#cbor")
+	out, err := UnimplementedCborMarshal(struct{ Name string }{Name: "test"})
+	require.ErrorIs(t, err, errUnimplementedCBOR)
+	require.Nil(t, out)
 }

 func Test_UnimplementedCborUnmarshal_ReturnsError(t *testing.T) {
 	t.Parallel()

 	var out any
 	err := UnimplementedCborUnmarshal([]byte{0xa0}, &out)
-	require.EqualError(t, err, "must explicitly setup CBOR, please check docs: https://docs.gofiber.io/next/guide/advance-format#cbor")
+	require.ErrorIs(t, err, errUnimplementedCBOR)
 }

Also applies to: 100-106

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@binder/cbor_test.go` around lines 93 - 98, Replace the brittle exact-string
assertion in Test_UnimplementedCborMarshal_ReturnsError by asserting error
sentinel semantics: call UnimplementedCborMarshal and use require.ErrorIs(t,
err, errUnimplementedCBOR) and also require.Nil(t, out) (or equivalent) to
assert the returned marshal output is nil; update the parallel test and any
other tests (e.g., the block around lines 100-106) that currently compare exact
error strings to use ErrorIs with the errUnimplementedCBOR sentinel instead.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@binder/cbor_test.go`:
- Around line 93-98: Replace the brittle exact-string assertion in
Test_UnimplementedCborMarshal_ReturnsError by asserting error sentinel
semantics: call UnimplementedCborMarshal and use require.ErrorIs(t, err,
errUnimplementedCBOR) and also require.Nil(t, out) (or equivalent) to assert the
returned marshal output is nil; update the parallel test and any other tests
(e.g., the block around lines 100-106) that currently compare exact error
strings to use ErrorIs with the errUnimplementedCBOR sentinel instead.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: d080c57c-fbb9-4411-a4f0-9abcb81d9f3b

📥 Commits

Reviewing files that changed from the base of the PR and between 30b1caa and e3e538c.

📒 Files selected for processing (2)

• binder/cbor.go
• binder/cbor_test.go

[Copilot]

Pull request overview

This PR hardens Fiber’s CBOR binding/encoding defaults by removing panic-only “unimplemented” stubs and replacing them with a sentinel error, preventing attacker-controlled Content-Type: application/cbor from triggering a panic when CBOR isn’t explicitly configured.

Changes:

• Replace panic in binder/cbor.go unimplemented CBOR helpers with a shared errUnimplementedCBOR error return.
• Update binder/cbor_test.go to assert error-return behavior instead of expecting panics.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
binder/cbor.go	Replaces CBOR “unimplemented” panic stubs with an error-return sentinel to avoid request-path panics.
binder/cbor_test.go	Updates tests to validate the new error-based behavior for unimplemented CBOR helpers.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.25%. Comparing base (6bf2f17) to head (e2e7588).
⚠️ Report is 29 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4269      +/-   ##
==========================================
+ Coverage   91.18%   91.25%   +0.06%     
==========================================
  Files         129      130       +1     
  Lines       12757    12753       -4     
==========================================
+ Hits        11633    11638       +5     
+ Misses        709      702       -7     
+ Partials      415      413       -2     

Flag	Coverage Δ
unittests	91.25% <100.00%> (+0.06%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[gemini-code-assist]

Code Review

This pull request replaces panics with error returns in the CBOR binder when the marshaler or unmarshaler is not configured, updating both the implementation and associated tests. Feedback suggests exporting the sentinel error as ErrUnimplementedCBOR with a "binder: " prefix for consistency and better usability. Additionally, the reviewer recommends using require.ErrorIs in tests for more robust verification and ensuring that the Reset method and binder pool utilize these default error-returning functions instead of nil to prevent potential panics in other parts of the codebase.

[gaby]

@copilot apply changes based on the comments in this thread

[github-actions]

⚠️ Performance Alert ⚠️

Possible performance regression was detected for benchmark.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.50.

Benchmark suite	Current: e3e538c	Previous: 30b1caa	Ratio
Benchmark_NewError (github.com/gofiber/fiber/v3)	86.25 ns/op 24 B/op 1 allocs/op	48.96 ns/op 24 B/op 1 allocs/op	1.76
Benchmark_NewError (github.com/gofiber/fiber/v3) - ns/op	86.25 ns/op	48.96 ns/op	1.76
Benchmark_Router_Handler_StrictRouting (github.com/gofiber/fiber/v3)	222.1 ns/op 0 B/op 0 allocs/op	119.6 ns/op 0 B/op 0 allocs/op	1.86
Benchmark_Router_Handler_StrictRouting (github.com/gofiber/fiber/v3) - ns/op	222.1 ns/op	119.6 ns/op	1.86

This comment was automatically generated by workflow using github-action-benchmark.

[gaby]

@copilot

• errUnimplementedCBOR should be exported
• we should use require.ErrorIs

[Copilot]

@copilot apply changes based on the comments in this thread

Addressed in c3aa326: updated the CBOR error text to use “set up” and changed the CBOR tests to assert the sentinel error with require.ErrorIs instead of the full string.

[Copilot]

@copilot

• errUnimplementedCBOR should be exported
• we should use require.ErrorIs

Updated in 179aac3: the sentinel is now exported as binder.ErrUnimplementedCBOR, and the tests use require.ErrorIs against the exported error.

[gaby]

@copilot the error should start with "binder: "

[Copilot]

@copilot the error should start with "binder: "

Updated in e2e7588: ErrUnimplementedCBOR now starts with binder: . No UI changes in this backend-only update.