fix(security): fixed the possible overflow related issue

[SantiagoDePolonia]

Summary by CodeRabbit

• Refactor

  • Optimized internal streaming helper implementation for improved performance.

• Tests

  • Added comprehensive unit tests for streaming helper functions to ensure reliability and correct behavior across edge cases and typical scenarios.

[coderabbitai]

📝 Walkthrough

Walkthrough

Refactored the joinedSuffix function to construct byte slices using growth semantics with make([]byte, 0, n) and append instead of pre-allocated buffers. Added comprehensive unit tests for joinedSuffix covering edge cases and typical input scenarios.

Changes

Cohort / File(s)	Summary
Implementation Optimization internal/streaming/observed_sse_stream.go	Refactored joinedSuffix to use zero-length slice with capacity and append operations instead of exact-length allocation with copy, preserving output while changing slice construction approach.
Test Coverage internal/streaming/observed_sse_stream_test.go	Added TestJoinedSuffix with comprehensive test cases covering nil returns for invalid lengths, suffix extraction, prefix-data concatenation, and edge cases where prefix is insufficient.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A humble hop through slices bright,
Where append grows them just right,
No copies needed, capacity set—
The cleanest suffix dance yet!
Tests now guard each edge case round,
Making sure no bugs are found! 🎉

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title claims to fix a security overflow issue, but the actual changes refactor slice construction in joinedSuffix and add test coverage without addressing any overflow vulnerability.	Update the title to accurately reflect the changes, such as 'refactor: optimize joinedSuffix slice allocation and add unit tests' or provide evidence of the overflow fix being security-critical.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/security-fix

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@internal/streaming/observed_sse_stream_test.go`:
- Around line 293-337: Add more edge-case table-driven tests for joinedSuffix to
cover negative n, nil/empty prefix and data, n larger than sum of prefix+data,
and cases where prefix length equals n (no data used) — e.g., add test rows
invoking joinedSuffix(prefix=nil, data=nil, n<0), joinedSuffix(prefix=nil,
data="abc", n=2), joinedSuffix(prefix="ab", data=nil, n=3),
joinedSuffix(prefix="xyz", data="123", n=6) and joinedSuffix(prefix="xyz",
data="123", n=3) to ensure correct behavior; update the TestJoinedSuffix cases
to include these inputs and expected outputs so joinedSuffix is validated
against boundary conditions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: da0f7dda-e54c-4cda-8c14-86ae01892d10

📥 Commits

Reviewing files that changed from the base of the PR and between c6d6f08 and 1766663.

📒 Files selected for processing (2)

• internal/streaming/observed_sse_stream.go
• internal/streaming/observed_sse_stream_test.go

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Good test coverage for the core scenarios.

Consider adding edge cases for more thorough coverage:

💡 Suggested additional test cases

 		{
 			name: "returns nil for non-positive length",
 			data: []byte("abc"),
 			n:    0,
 			want: nil,
 		},
+		{
+			name: "returns nil for negative length",
+			data: []byte("abc"),
+			n:    -1,
+			want: nil,
+		},
+		{
+			name: "handles nil prefix",
+			prefix: nil,
+			data:   []byte("abc"),
+			n:      2,
+			want:   []byte("bc"),
+		},
+		{
+			name: "handles empty data with prefix",
+			prefix: []byte("abcd"),
+			data:   []byte{},
+			n:      2,
+			want:   []byte("cd"),
+		},

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	func TestJoinedSuffix(t *testing.T) {
	tests := []struct {
	name string
	prefix []byte
	data []byte
	n int
	want []byte
	}{
	{
	name: "returns nil for non-positive length",
	data: []byte("abc"),
	n: 0,
	want: nil,
	},
	{
	name: "returns suffix from data when data is long enough",
	data: []byte("abcdef"),
	n: 3,
	want: []byte("def"),
	},
	{
	name: "combines prefix tail and data",
	prefix: []byte("abcd"),
	data: []byte("ef"),
	n: 4,
	want: []byte("cdef"),
	},
	{
	name: "uses available prefix bytes only",
	prefix: []byte("ab"),
	data: []byte("cd"),
	n: 5,
	want: []byte("abcd"),
	},
	}
	for _, tt := range tests {
	t.Run(tt.name, func(t *testing.T) {
	got := joinedSuffix(tt.prefix, tt.data, tt.n)
	if !bytes.Equal(got, tt.want) {
	t.Fatalf("joinedSuffix() = %q, want %q", got, tt.want)
	}
	})
	}
	}
	func TestJoinedSuffix(t *testing.T) {
	tests := []struct {
	name string
	prefix []byte
	data []byte
	n int
	want []byte
	}{
	{
	name: "returns nil for non-positive length",
	data: []byte("abc"),
	n: 0,
	want: nil,
	},
	{
	name: "returns nil for negative length",
	data: []byte("abc"),
	n: -1,
	want: nil,
	},
	{
	name: "handles nil prefix",
	prefix: nil,
	data: []byte("abc"),
	n: 2,
	want: []byte("bc"),
	},
	{
	name: "handles empty data with prefix",
	prefix: []byte("abcd"),
	data: []byte{},
	n: 2,
	want: []byte("cd"),
	},
	{
	name: "returns suffix from data when data is long enough",
	data: []byte("abcdef"),
	n: 3,
	want: []byte("def"),
	},
	{
	name: "combines prefix tail and data",
	prefix: []byte("abcd"),
	data: []byte("ef"),
	n: 4,
	want: []byte("cdef"),
	},
	{
	name: "uses available prefix bytes only",
	prefix: []byte("ab"),
	data: []byte("cd"),
	n: 5,
	want: []byte("abcd"),
	},
	}
	for _, tt := range tests {
	t.Run(tt.name, func(t *testing.T) {
	got := joinedSuffix(tt.prefix, tt.data, tt.n)
	if !bytes.Equal(got, tt.want) {
	t.Fatalf("joinedSuffix() = %q, want %q", got, tt.want)
	}
	})
	}
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/streaming/observed_sse_stream_test.go` around lines 293 - 337, Add
more edge-case table-driven tests for joinedSuffix to cover negative n,
nil/empty prefix and data, n larger than sum of prefix+data, and cases where
prefix length equals n (no data used) — e.g., add test rows invoking
joinedSuffix(prefix=nil, data=nil, n<0), joinedSuffix(prefix=nil, data="abc",
n=2), joinedSuffix(prefix="ab", data=nil, n=3), joinedSuffix(prefix="xyz",
data="123", n=6) and joinedSuffix(prefix="xyz", data="123", n=3) to ensure
correct behavior; update the TestJoinedSuffix cases to include these inputs and
expected outputs so joinedSuffix is validated against boundary conditions.