Skip to content

fix: handler overflow panic#1066

Merged
oliverbaehler merged 2 commits into
projectcapsule:mainfrom
oliverbaehler:fix/context-overflow
Jul 2, 2026
Merged

fix: handler overflow panic#1066
oliverbaehler merged 2 commits into
projectcapsule:mainfrom
oliverbaehler:fix/context-overflow

Conversation

@oliverbaehler

Copy link
Copy Markdown
Collaborator

No description provided.

Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
Copilot AI review requested due to automatic review settings July 2, 2026 12:19

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR removes panic-based control flow in the webserver error paths and introduces a local recovery middleware to prevent request-handler panics from cascading, while also updating Helm APF FlowSchema rules to include TokenReview calls.

Changes:

  • Replaced gorilla/handlers recovery handler with a custom recoveryMiddleware on the mux router.
  • Removed intentional panic(...) calls after writing error responses; added early return statements after handling errors.
  • Updated the Helm FlowSchema to include authentication.k8s.io/tokenreviews create requests.

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
internal/webserver/webserver.go Switches to custom recovery middleware and adjusts several handlers to return after writing errors.
internal/webserver/middleware/user_in_group.go Adds error responses + early returns when user/group resolution fails inside group-check middleware.
internal/webserver/middleware/jwt.go Adds early returns after TokenReview failure/unauthorized handling.
internal/webserver/errors/panic.go Stops panicking after writing JSON error responses; sets explicit HTTP status codes.
go.mod Removes github.com/gorilla/handlers dependency.
go.sum Removes github.com/gorilla/handlers checksums.
charts/capsule-proxy/templates/flowschema.yaml Adds APF FlowSchema rule for tokenreviews create.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines 350 to 354
if err != nil {
server.HandleError(writer, err, "cannot retrieve user and group from the request")

return
}
Comment on lines 32 to 37
if err != nil {
log.Error(err, "Cannot retrieve username and group from request")
errors.HandleError(writer, err, "cannot retrieve user and group from the request")

return
}
Comment on lines 58 to 63
if err != nil {
log.Error(err, "Cannot retrieve username and group from request")
errors.HandleError(writer, err, "cannot retrieve user and group from the request")

return
}
Comment on lines +619 to +621
if err, ok := recovered.(error); ok && errors.Is(err, http.ErrAbortHandler) {
return
}
Comment thread internal/webserver/webserver.go Outdated
Comment on lines +623 to +624
n.log.Error(fmt.Errorf("%v", recovered), "panic while handling request")
http.Error(writer, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
Comment thread internal/webserver/middleware/jwt.go Outdated
}

if statusErr := tr.Status.Error; len(statusErr) > 0 {
invalidatedToken.Insert(token)
Comment on lines 551 to 556
request, username, groups, err := req.ResolveUserAndGroups(request, n.authTypes, n.usernameClaimField, n.writer, n.ignoredImpersonationGroups, n.impersonationGroupsRegexp, n.skipImpersonationReview, n.xfcc_header)
if err != nil {
server.HandleError(writer, err, "cannot retrieve user and group from the request")

return
}
Signed-off-by: Oliver Baehler <oliver@sudo-i.net>
@oliverbaehler oliverbaehler merged commit e1e9450 into projectcapsule:main Jul 2, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants