fix(core): harden json field handling and cache guards

SantiagoDePolonia · SantiagoDePolonia · commit a5d171fa60ed · 2026-03-22T19:11:33.000+01:00
diff --git a/docs/superpowers/plans/2026-03-22-chat-unknown-fields-refactor.md b/docs/superpowers/plans/2026-03-22-chat-unknown-fields-refactor.md
diff --git a/internal/core/batch_preparation_test.go b/internal/core/batch_preparation_test.go
@@ -38,8 +38,14 @@ func TestCloneBatchRequestDeepCopiesNestedFields(t *testing.T) {
 	cloned.Requests[0].CustomID = "chat-2"
 	cloned.Requests[0].Body[10] = 'X'
 	itemExtra := cloned.Requests[0].ExtraFields.Lookup("x_item")
+	if len(itemExtra) <= 9 {
+		t.Fatalf("cloned item extra too short: %q", itemExtra)
+	}
 	itemExtra[9] = 'f'
 	topExtra := cloned.ExtraFields.Lookup("x_top")
+	if len(topExtra) <= 9 {
+		t.Fatalf("cloned top extra too short: %q", topExtra)
+	}
 	topExtra[9] = 'f'
 
 	if got := original.Metadata["provider"]; got != "openai" {
diff --git a/internal/core/json_fields.go b/internal/core/json_fields.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"math"
 	"sort"
 	"strconv"
 )
@@ -53,7 +54,12 @@ func UnknownJSONFieldsFromMap(fields map[string]json.RawMessage) UnknownJSONFiel
 		}
 		buf.Write(keyBody)
 		buf.WriteByte(':')
-		buf.Write(CloneRawJSON(fields[key]))
+		rawValue := CloneRawJSON(fields[key])
+		if len(rawValue) == 0 {
+			buf.WriteString("null")
+			continue
+		}
+		buf.Write(rawValue)
 	}
 	buf.WriteByte('}')
 	return UnknownJSONFields{raw: buf.Bytes()}
@@ -133,7 +139,11 @@ func mergeUnknownJSONObject(baseBody, extraBody []byte) ([]byte, error) {
 		return CloneRawJSON(extraBody), nil
 	}
 
-	merged := make([]byte, 0, len(baseBody)+len(extraBody)-1)
+	totalCap, err := mergedJSONObjectCap(len(baseBody), len(extraBody))
+	if err != nil {
+		return nil, err
+	}
+	merged := make([]byte, 0, totalCap)
 	merged = append(merged, baseBody[:len(baseBody)-1]...)
 	if !bytes.Equal(extraBody, []byte("{}")) {
 		merged = append(merged, ',')
@@ -142,6 +152,16 @@ func mergeUnknownJSONObject(baseBody, extraBody []byte) ([]byte, error) {
 	return merged, nil
 }
 
+func mergedJSONObjectCap(baseLen, extraLen int) (int, error) {
+	if extraLen <= 0 {
+		return 0, fmt.Errorf("unknown JSON fields are empty")
+	}
+	if baseLen > math.MaxInt-(extraLen-1) {
+		return 0, fmt.Errorf("combined JSON object too large")
+	}
+	return baseLen + extraLen - 1, nil
+}
+
 func readJSONObjectKey(dec *json.Decoder) (string, bool) {
 	keyToken, err := dec.Token()
 	if err != nil {
@@ -205,8 +225,22 @@ func extractUnknownJSONFieldsObjectByScan(data []byte, knownFields ...string) (U
 		}
 
 		i = skipJSONWhitespace(data, valueEnd)
-		if i < len(data) && data[i] == ',' {
+		if i >= len(data) {
+			return UnknownJSONFields{}, fmt.Errorf("unterminated JSON object")
+		}
+		switch data[i] {
+		case ',':
 			i = skipJSONWhitespace(data, i+1)
+			if i >= len(data) {
+				return UnknownJSONFields{}, fmt.Errorf("unterminated JSON object")
+			}
+			if data[i] == '}' {
+				return UnknownJSONFields{}, fmt.Errorf("unexpected trailing comma in JSON object")
+			}
+		case '}':
+			// The next loop iteration will terminate cleanly on the closing brace.
+		default:
+			return UnknownJSONFields{}, fmt.Errorf("expected ',' or '}' after object value")
 		}
 	}
 
@@ -233,12 +267,19 @@ func scanJSONValue(data []byte, start int) (int, error) {
 		for i < len(data) {
 			switch data[i] {
 			case ',', '}', ']':
-				return i, nil
+				goto validateLiteral
 			case ' ', '\n', '\r', '\t':
-				return i, nil
+				goto validateLiteral
 			}
 			i++
 		}
+	validateLiteral:
+		if i == start {
+			return 0, fmt.Errorf("expected JSON literal")
+		}
+		if err := validateJSONLiteral(data[start:i]); err != nil {
+			return 0, err
+		}
 		return i, nil
 	}
 }
@@ -267,8 +308,22 @@ func scanJSONObject(data []byte, start int) (int, error) {
 			return 0, err
 		}
 		i = skipJSONWhitespace(data, valueEnd)
-		if i < len(data) && data[i] == ',' {
-			i++
+		if i >= len(data) {
+			return 0, fmt.Errorf("unterminated JSON object")
+		}
+		switch data[i] {
+		case ',':
+			i = skipJSONWhitespace(data, i+1)
+			if i >= len(data) {
+				return 0, fmt.Errorf("unterminated JSON object")
+			}
+			if data[i] == '}' {
+				return 0, fmt.Errorf("unexpected trailing comma in JSON object")
+			}
+		case '}':
+			return i + 1, nil
+		default:
+			return 0, fmt.Errorf("expected ',' or '}' after object value")
 		}
 	}
 	return 0, fmt.Errorf("unterminated JSON object")
@@ -289,13 +344,40 @@ func scanJSONArray(data []byte, start int) (int, error) {
 			return 0, err
 		}
 		i = skipJSONWhitespace(data, valueEnd)
-		if i < len(data) && data[i] == ',' {
-			i++
+		if i >= len(data) {
+			return 0, fmt.Errorf("unterminated JSON array")
+		}
+		switch data[i] {
+		case ',':
+			i = skipJSONWhitespace(data, i+1)
+			if i >= len(data) {
+				return 0, fmt.Errorf("unterminated JSON array")
+			}
+			if data[i] == ']' {
+				return 0, fmt.Errorf("unexpected trailing comma in JSON array")
+			}
+		case ']':
+			return i + 1, nil
+		default:
+			return 0, fmt.Errorf("expected ',' or ']' after array element")
 		}
 	}
 	return 0, fmt.Errorf("unterminated JSON array")
 }
 
+func validateJSONLiteral(raw []byte) error {
+	var value any
+	if err := json.Unmarshal(raw, &value); err != nil {
+		return fmt.Errorf("invalid JSON literal: %w", err)
+	}
+	switch value.(type) {
+	case nil, bool, float64:
+		return nil
+	default:
+		return fmt.Errorf("invalid JSON literal")
+	}
+}
+
 func scanJSONString(data []byte, start int) (int, error) {
 	if start >= len(data) || data[start] != '"' {
 		return 0, fmt.Errorf("expected JSON string")
diff --git a/internal/core/json_fields_test.go b/internal/core/json_fields_test.go
@@ -3,6 +3,7 @@ package core
 import (
 	"bytes"
 	"encoding/json"
+	"math"
 	"testing"
 )
 
@@ -54,3 +55,43 @@ func TestExtractUnknownJSONFieldsObjectByScan_HandlesEscapedStrings(t *testing.T
 		t.Fatalf("x_json = %s", got)
 	}
 }
+
+func TestUnknownJSONFieldsFromMap_EmptyRawValueEncodesAsNull(t *testing.T) {
+	fields := UnknownJSONFieldsFromMap(map[string]json.RawMessage{
+		"x_nil": nil,
+		"x_set": json.RawMessage(`true`),
+	})
+
+	if got := fields.Lookup("x_nil"); !bytes.Equal(got, []byte("null")) {
+		t.Fatalf("x_nil = %q, want null", got)
+	}
+	if got := fields.Lookup("x_set"); !bytes.Equal(got, []byte("true")) {
+		t.Fatalf("x_set = %q, want true", got)
+	}
+}
+
+func TestExtractUnknownJSONFieldsObjectByScan_RejectsInvalidJSONSyntax(t *testing.T) {
+	tests := []struct {
+		name string
+		body string
+	}{
+		{name: "invalid bare literal", body: `{"known":"value","x":wat}`},
+		{name: "missing object comma", body: `{"known":"value" "x":1}`},
+		{name: "trailing object comma", body: `{"known":"value","x":1,}`},
+		{name: "trailing array comma", body: `{"known":"value","x":[1,]}`},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if _, err := extractUnknownJSONFieldsObjectByScan([]byte(tt.body), "known"); err == nil {
+				t.Fatalf("extractUnknownJSONFieldsObjectByScan(%q) error = nil, want syntax error", tt.body)
+			}
+		})
+	}
+}
+
+func TestMergedJSONObjectCap_Overflow(t *testing.T) {
+	if _, err := mergedJSONObjectCap(math.MaxInt, 2); err == nil {
+		t.Fatal("mergedJSONObjectCap() error = nil, want overflow error")
+	}
+}
diff --git a/internal/responsecache/middleware_test.go b/internal/responsecache/middleware_test.go
@@ -339,6 +339,61 @@ func TestSimpleCacheMiddleware_BypassesCacheWhenBodyWasNotCaptured(t *testing.T)
 	}
 }
 
+func TestSimpleCacheMiddleware_BodyReadErrorReturnsGatewayError(t *testing.T) {
+	store := cache.NewMapStore()
+	defer store.Close()
+	mw := NewResponseCacheMiddlewareWithStore(store, time.Hour)
+	e := echo.New()
+
+	handler := mw.Middleware()(func(c *echo.Context) error {
+		t.Fatal("handler should not be called when request body read fails")
+		return nil
+	})
+
+	req := httptest.NewRequest(http.MethodPost, "/v1/chat/completions", nil)
+	req.Header.Set("Content-Type", "application/json")
+	req.Body = explodingCacheReadCloser{}
+	rec := httptest.NewRecorder()
+	c := e.NewContext(req, rec)
+
+	err := handler(c)
+	var gatewayErr *core.GatewayError
+	if !errors.As(err, &gatewayErr) {
+		t.Fatalf("handler error = %T, want *core.GatewayError", err)
+	}
+	if gatewayErr.Type != core.ErrorTypeInvalidRequest {
+		t.Fatalf("gateway error type = %q, want %q", gatewayErr.Type, core.ErrorTypeInvalidRequest)
+	}
+}
+
+func TestRequestBodyForCache_BodyNotCapturedTakesPrecedenceOverEmptySnapshotBody(t *testing.T) {
+	req := httptest.NewRequest(http.MethodPost, "/v1/chat/completions", nil)
+	frame := core.NewRequestSnapshot(
+		http.MethodPost,
+		"/v1/chat/completions",
+		nil,
+		nil,
+		nil,
+		"application/json",
+		[]byte{},
+		true,
+		"",
+		nil,
+	)
+	req = req.WithContext(core.WithRequestSnapshot(req.Context(), frame))
+
+	body, cacheable, err := requestBodyForCache(req)
+	if err != nil {
+		t.Fatalf("requestBodyForCache() error = %v", err)
+	}
+	if cacheable {
+		t.Fatalf("requestBodyForCache() cacheable = true, want false (body=%q)", body)
+	}
+	if body != nil {
+		t.Fatalf("requestBodyForCache() body = %q, want nil", body)
+	}
+}
+
 func TestIsStreamingRequest(t *testing.T) {
 	tests := []struct {
 		name string
