🐛 fix: restore strict overflow check in float parser

[gaby]

Motivation

• Repair a regression in parseFloat where the integer mantissa accumulation allowed uint64 wraparound and produced incorrect parsed float values for oversized decimal mantissas.
• Prevent attacker-controlled inputs from being misparsed (e.g. 25000000000000000000e-18) which could bypass numeric validation.

Description

• Restore a pre-multiply overflow check in parseFloat by adding maxUint64Div10 and maxUint64Mod10 and validating intPart before computing intPart*10 + digit in parse.go.
• Replace the post-multiply monotonicity test with the precise boundary check and then perform the multiplication/accumulation only after it passes.
• Add a regression test case for the problematic input "25000000000000000000e-18" in parse_test.go and mark it as an expected parse error to ensure the overflow is rejected going forward.

Summary by CodeRabbit

• Bug Fixes

  • Improved overflow checks during numeric parsing so extremely large integers/floats are detected earlier and reported as out-of-range instead of producing incorrect results.

• Tests

  • Added coverage for an edge-case large numeric literal to ensure parsing fails appropriately at numeric boundaries.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e17ef66d-c572-42c2-821d-f1cdfd000cd4

📥 Commits

Reviewing files that changed from the base of the PR and between 530f871 and 527e0cc.

📒 Files selected for processing (1)

• parse.go

🚧 Files skipped from review as they are similar to previous changes (1)

• parse.go

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (go)

---

📝 Walkthrough

Walkthrough

File-level uint64 cutoff constants were added, digit parsing now uses those cutoffs, and integer-part accumulation in parseFloat pre-checks the uint64 boundary. A test was added asserting parsing "25000000000000000000e-18" fails.

Changes

Uint64 Mantissa Overflow Detection

Layer / File(s)	Summary
File-level cutoff constants and parseDigits update parse.go	Adds maxFracDigits, maxUint64Cutoff, maxUint64Cutlim and updates parseDigits to use these file-level cutoffs; overflow continues to return strconv.ErrRange.
parseFloat pre-update check and test parse.go, parse_test.go	parseFloat now checks against maxUint64Cutoff/maxUint64Cutlim before updating intPart and returns strconv.ErrRange on boundary; adds test asserting "25000000000000000000e-18" fails to parse.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• gofiber/utils#137: Both PRs modify parse.go’s numeric parsing overflow/range handling for uint64/float integer-part parsing.
• gofiber/utils#134: Both PRs touch float parsing in parse.go, including handling of large/invalid inputs and parse behavior.

Suggested labels

🧹 Updates

Suggested reviewers

• sixcolors
• efectn

Poem

A rabbit counts each digit tight,
Guards the cutoff through the night,
When mantissa tries to grow too wide,
It stops, returns — no overflowed tide,
Hooray for bounds kept safe and right! 🐇✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main change: restoring strict overflow checking in the float parser to fix a regression where oversized decimal mantissas could wrap uint64.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-float-parser-overflow-check

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies"

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.08%. Comparing base (79a8938) to head (527e0cc).

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #199      +/-   ##
==========================================
- Coverage   84.15%   84.08%   -0.07%     
==========================================
  Files          14       14              
  Lines        1155     1150       -5     
==========================================
- Hits          972      967       -5     
  Misses        152      152              
  Partials       31       31              

Flag	Coverage Δ
unittests	84.08% <100.00%> (-0.07%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

Repairs an integer mantissa overflow regression in the custom parseFloat implementation to prevent uint64 wraparound from producing incorrect float results, and adds a regression test to ensure oversized mantissas are rejected going forward.

Changes:

• Restored a pre-multiply overflow boundary check for intPart = intPart*10 + digit in parseFloat.
• Replaced the prior wrap/monotonicity-based detection with a precise MaxUint64 div/mod by 10 check.
• Added a regression test case for "25000000000000000000e-18" expecting a parse failure.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
parse.go	Adds a correct uint64 pre-multiply overflow guard when accumulating the integer mantissa in parseFloat.
parse_test.go	Adds a regression case ensuring oversized mantissas that would overflow are rejected.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[gemini-code-assist]

Code Review

This pull request improves the overflow detection logic in the parseFloat function by explicitly checking bounds before performing arithmetic operations on the integer part. It also adds a new test case for large numeric inputs. The reviewer suggested using math.MaxUint64 for better readability and recommended moving the overflow constants to the package level to improve code reuse and maintainability.

[gaby]

@copilot For better readability and consistency with other parts of this file (e.g., parseDigits), it's better to use math.MaxUint64 instead of ^uint64(0).

Additionally, to improve code reuse, consider defining these constants at the package level. A similar set of constants (cutoff and cutlim) already exists in the parseDigits function. Consolidating them would reduce duplication and improve maintainability.

[Copilot]

@copilot For better readability and consistency with other parts of this file (e.g., parseDigits), it's better to use math.MaxUint64 instead of ^uint64(0).

Additionally, to improve code reu...

Updated in 527e0cc: the overflow cutoff values now use math.MaxUint64 and are defined once at package scope so both parseDigits and parseFloat reuse the same constants.