feat: auto decompress request body, close #1680

[looplj]

No description provided.

[gemini-code-assist]

Code Review

This pull request introduces HTTP request body decompression support for gzip, deflate, and zstd encodings within the llm/httpclient package. It also updates several frontend dependencies and adds the klauspost/compress library. Feedback highlights critical issues, including the accidental removal of existing tests in utils_test.go and a potential memory exhaustion vulnerability (Zip Bomb) due to the lack of size limits on decompression readers. Furthermore, the deflate implementation should be switched to zlib for RFC compliance, a suspicious uuid version in the lockfile requires verification, and compression library versions should be synchronized across modules.

[gemini-code-assist]

It appears that all existing tests in this file (such as TestIsHTTPStatusCodeRetryable, TestMergeHTTPHeaders, TestMergeHTTPQuery, and TestMergeInboundRequest) have been deleted and replaced by the new tests. Please ensure that the new tests are appended to the file instead of overwriting the existing ones to maintain test coverage.

[gemini-code-assist]

Using io.ReadAll on a decompression reader without a size limit is vulnerable to memory exhaustion attacks (Zip Bombs). A small malicious payload could expand to a size that exceeds available memory. Consider using io.LimitReader to restrict the maximum decompressed size. This risk also applies to the deflate and zstd implementations.

[gemini-code-assist]

The uuid package version 14.0.0 appears to be non-existent on the public npm registry (current version is 11.x). This could indicate a corrupted lockfile or a potential security risk. Please verify this dependency change.

[gemini-code-assist]

For HTTP Content-Encoding, the deflate value typically refers to the zlib format (RFC 1950). Using compress/flate (which implements raw RFC 1951 deflate) will fail for standard-compliant clients that send zlib-wrapped data. It is recommended to use compress/zlib instead.

[gemini-code-assist]

The version of github.com/klauspost/compress used here (v1.17.9) is inconsistent with the version used in the root go.mod (v1.18.0). It is recommended to keep dependency versions synchronized across the project.

[greptile-apps]

Greptile Summary

This PR adds transparent auto-decompression of inbound request bodies for gzip/x-gzip, deflate, and zstd Content-Encoding values, stripping the encoding headers after decoding so upstream LLM providers receive a plain JSON body. The deflate path correctly attempts zlib-wrapped decoding first and falls back to raw DEFLATE when the header check fails, addressing a known RFC ambiguity.

• Decompression logic (llm/httpclient/utils.go): new decodeRequestBody switch and decodeZlibOrFlate helper; the zlib\u2192raw DEFLATE fallback only fires when zlib.NewReader rejects the header, leaving a gap where raw DEFLATE streams whose first two bytes accidentally satisfy the zlib checksum are mis-detected as zlib and then fail to decode.
• Tests (llm/httpclient/utils_test.go): thorough coverage of all three encodings, identity, empty body, error cases, and case-insensitive header handling; no test for the edge-case raw DEFLATE / coincidental zlib header collision.
• Dependencies: adds github.com/klauspost/compress v1.18.0 for zstd support; lock files updated across go.mod/go.sum and frontend pnpm-lock.yaml (frontend lock change appears to be an unrelated dependency cleanup).

Confidence Score: 4/5

Safe to merge with the zlib fallback gap fixed; the bug only manifests for raw DEFLATE bodies whose first two bytes coincidentally satisfy the zlib checksum, but when it does trigger the request silently fails.

The decompression logic is correct for the vast majority of real-world inputs, but decodeZlibOrFlate stops at the first io.ReadAll error after a successful zlib.NewReader call without retrying as raw DEFLATE. A raw DEFLATE stream with a coincidental zlib-like header will be rejected rather than decoded successfully.

llm/httpclient/utils.go — specifically decodeZlibOrFlate

Important Files Changed

Filename	Overview
llm/httpclient/utils.go	Adds decodeRequestBody and decodeZlibOrFlate helpers for transparent gzip/deflate/zstd decompression of incoming request bodies; incomplete zlib→raw DEFLATE fallback path can incorrectly reject valid raw DEFLATE streams
llm/httpclient/utils_test.go	Good coverage of the happy paths and error cases for all three encodings; missing a test for raw DEFLATE whose first two bytes happen to satisfy the zlib CMF+FLG checksum
llm/go.mod	Adds github.com/klauspost/compress v1.18.0 for zstd support

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Incoming HTTP Request] --> B[io.ReadAll body]
    B --> C{len body > 0?}
    C -- No --> G[req.Body = nil]
    C -- Yes --> D{Content-Encoding header?}
    D -- None / identity --> E[return body as-is]
    D -- gzip / x-gzip --> F1[gzip.NewReader]
    F1 -- error --> ERR[return error]
    F1 -- ok --> F2[io.ReadAll]
    F2 -- error --> ERR
    F2 -- ok --> HDR1[Del Content-Encoding Del Content-Length]
    HDR1 --> G
    D -- deflate --> Z1[zlib.NewReader]
    Z1 -- error --> Z2[flate.NewReader io.ReadAll]
    Z1 -- ok --> Z3[io.ReadAll]
    Z3 -- error --> ERR2[return error no fallback to flate]
    Z3 -- ok --> HDR2[Del Content-Encoding Del Content-Length]
    Z2 -- error --> ERR
    Z2 -- ok --> HDR2
    HDR2 --> G
    D -- zstd --> S1[zstd decoder.DecodeAll]
    S1 -- error --> ERR
    S1 -- ok --> HDR3[Del Content-Encoding Del Content-Length]
    HDR3 --> G
    D -- other --> ERR3[unsupported content encoding error]
    G --> H[Return Request]

Loading

_{Reviews (2): Last reviewed commit: "feat: auto decompress request body, clos..." | Re-trigger Greptile}