stop using deprecated mholt/archiver

[AdallomRoy]

Proposed changes

Stop using deprecated (and CVE-ful mholt/archiver) and migrate to the new mholt/archives
I added tests (that were missing) to validate the decompression part

Checklist

• Pull request is created against the dev branch
• All checks passed (lint, unit/integration/regression tests etc.) with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Summary by CodeRabbit

• Dependency Updates

  • Upgraded Go version to 1.22.2
  • Updated multiple dependencies, including the archiver library
  • Added several new indirect dependencies

• Library Changes

  • Replaced github.com/mholt/archiver with github.com/mholt/archives
  • Updated compression and archive-related library versions

• Testing Improvements

  • Enhanced file processing test coverage
  • Added support for testing ZIP and GZIP compressed file formats

• Error Handling Enhancements

  • Improved error handling and logging in file processing and package handling logic
  • Modified control flow for better robustness in handling various file types

• Structural Changes

  • Transitioned from a package-based processing model to a file-based approach in helper function identification and storage.

• Documentation Updates

  • Updated installation requirements for Nuclei to require Go version 1.22 across multiple language-specific README files.

[coderabbitai]

Walkthrough

The pull request introduces updates to the project's Go version and dependencies, focusing on file and archive processing. The primary changes involve upgrading the Go version to 1.22.2, replacing the archiver library with a new implementation, and updating various dependency versions. The modifications enhance file handling capabilities, particularly for compressed archives like ZIP and GZIP, with improved error management and more explicit file processing logic.

Changes

File	Change Summary
go.mod	- Go version upgraded to 1.22.2 - Replaced github.com/mholt/archiver with github.com/mholt/archives - Updated multiple dependency versions - Added several new indirect dependencies
pkg/protocols/file/request.go	- Updated import from github.com/mholt/archiver to github.com/mholt/archives - Improved file and archive processing logic - Enhanced error handling and logging
pkg/protocols/file/request_test.go	- Added zipFile() and gzipFile() helper functions - Extended TestFileExecuteWithResults to test compressed file formats - Improved test case structure
pkg/js/devtools/bindgen/generator.go	- Modified error handling and control flow in CreateTemplateData and gatherPackageData functions - Updated function signatures to handle broader AST node types
pkg/js/devtools/scrapefuncs/main.go	- Removed pkgs variable and replaced with dslHelpers for direct file handling - Altered logic for parsing and processing Go files
Dockerfile	- Base image updated to golang:1.22-alpine
README.md	- Updated Go version requirement from go1.21 to go1.22
README_CN.md	- Updated Go version requirement from go1.21 to go1.22
README_ES.md	- Updated Go version requirement from go1.21 to go1.22
README_ID.md	- Updated Go version requirement from go1.21 to go1.22
README_JP.md	- Updated Go version requirement from go1.21 to go1.22
README_KR.md	- Updated Go version requirement from go1.21 to go1.22

Sequence Diagram

sequenceDiagram
    participant Client
    participant FileProcessor
    participant ArchiveHandler
    participant FileSystem

    Client->>FileProcessor: Execute file request
    FileProcessor->>FileSystem: Open file
    FileSystem-->>FileProcessor: File stream
    FileProcessor->>ArchiveHandler: Detect archive type
    ArchiveHandler-->>FileProcessor: Archive format
    FileProcessor->>ArchiveHandler: Extract files
    ArchiveHandler-->>FileProcessor: Extracted content
    FileProcessor-->>Client: Processing results

Loading

Poem

🐰 Hop, hop, through files compressed tight,
Archives unfurled with digital might!
Go version leaps, dependencies dance,
Code grows stronger with each advance.
A rabbit's code, both swift and neat! 🚀

Finishing Touches

• 📝 Generate Docstrings (Beta)

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

pkg/protocols/file/request.go (2)

62-67: Consider more descriptive error logging.

While this error handling is functionally correct, consider appending file context or a clearer message to help with diagnostics (e.g., gologger.Error().Msgf("failed to open file %s: %v", filePath, err)).

---

118-118: Avoid discarding fi.Stat() error.

Currently, fi.Stat() is called with _, _ := fi.Stat(). If it fails, the subsequent logic could consume invalid or partial data. Consider capturing and handling the error.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 258f38f and 7a2c39e.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• go.mod (10 hunks)
• pkg/protocols/file/request.go (4 hunks)
• pkg/protocols/file/request_test.go (2 hunks)

🧰 Additional context used

🪛 GitHub Check: Lint

pkg/protocols/file/request_test.go

[failure] 30-30:
Error return value of w1.Write is not checked (errcheck)

🪛 GitHub Actions: 🔨 Tests

pkg/protocols/file/request_test.go

[error] 30-30: Error return value of w1.Write is not checked (errcheck)

🔇 Additional comments (16)

pkg/protocols/file/request.go (9)

5-5: No concerns with the context import.

---

13-13: Migration to github.com/mholt/archives looks correct.

---

68-68: Revisit ignored error from archives.Identify.

The return signature includes an error, but it's being discarded as _. If Identify fails, it might be helpful to check or log it to catch issues with malformed archives or unexpected file types.

---

70-73: Clean archive handling logic.

---

80-85: Archived file extraction is well-handled.

---

86-86: Processing reader for archived file.

---

108-108: Single-file decompression approach is straightforward.

---

111-111: Good error check on OpenReader(stream).

---

128-129: Data copy error handling is correct.

pkg/protocols/file/request_test.go (4)

4-5: New imports for ZIP and bytes are appropriate.

---

36-44: GZIP creation logic looks correct with error checks.

---

46-67: Test harness setup is methodical.

---

68-130: Comprehensive test coverage for multiple file types.

The loop structure tests uncompressed, GZIP, and ZIP successfully. Logging and result validations are thorough.

go.mod (3)

3-3: Go version upgrade to 1.22.2.

This upgrade provides performance enhancements and security fixes. Ensure that build environments and CI pipelines support Go 1.22.2 to avoid compatibility issues.

---

80-80: Dependency switch from archiver to archives.

This aligns directly with the PR objective of discontinuing deprecated and vulnerable libraries.

---

Line range hint 124-279: Multiple indirect dependency additions and updates.

No issues flagged. For completeness, consider scanning these updated libraries for known vulnerabilities before release.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

pkg/protocols/file/request_test.go (1)

25-34: ⚠️ Potential issue

Check the write error in zipFile.

The error from w1.Write(data) is not checked, which could lead to silent failures.

Apply this diff to fix the error handling:

-w1.Write(data)
+_, err = w1.Write(data)
+require.NoError(t, err)

🧰 Tools

🪛 GitHub Check: Lint

[failure] 30-30:
Error return value of w1.Write is not checked (errcheck)

🪛 golangci-lint (1.62.2)

30-30: Error return value of w1.Write is not checked

(errcheck)

🧹 Nitpick comments (1)

pkg/protocols/file/request.go (1)

Line range hint 62-108: Good implementation of the new archives library!

The migration to mholt/archives is well-implemented with proper error handling and logging. The code effectively handles both archive extraction and decompression.

Consider adding debug logging before archive extraction to help with troubleshooting:

 case format != nil:
+    gologger.Debug().Msgf("Identified archive format: %s for file: %s", format.Name(), filePath)
     switch archiveInstance := format.(type) {

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7a2c39e and ca5a26b.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• go.mod (10 hunks)
• pkg/protocols/file/request.go (4 hunks)
• pkg/protocols/file/request_test.go (2 hunks)

🧰 Additional context used

🪛 GitHub Check: Lint

pkg/protocols/file/request_test.go

[failure] 30-30:
Error return value of w1.Write is not checked (errcheck)

🪛 golangci-lint (1.62.2)

pkg/protocols/file/request_test.go

30-30: Error return value of w1.Write is not checked

(errcheck)

🔇 Additional comments (4)

pkg/protocols/file/request_test.go (2)

36-44: LGTM!

The function correctly implements GZIP compression with proper error handling.

---

46-130: Well-structured test cases!

The test implementation effectively validates both GZIP and ZIP formats using table-driven tests, ensuring compatibility with the new archives library.

pkg/protocols/file/request.go (1)

Line range hint 108-151: Solid implementation of decompression handling!

The code effectively manages single-file compressed archives with proper temporary file handling and cleanup. The error handling is comprehensive, ensuring reliable decompression.

go.mod (1)

80-80: Verify the latest stable versions of compression-related dependencies.

The migration to mholt/archives looks good. Let's verify the versions of related dependencies for potential updates or security fixes.

Run the following script to check for latest versions and any security advisories:

Also applies to: 124-124, 137-139, 180-181, 194-194, 210-210, 216-216, 230-231

✅ Verification successful

Let me try a different approach to verify the dependency versions.

---

Let me try one more verification approach using GitHub API to check the latest releases.

---

All compression-related dependencies are at their latest stable versions

Based on the verification results:

• mholt/archives is using the latest commit (fc8400ac35 from Dec 26, 2024)
• klauspost/compress is at v1.17.11 (latest)
• bodgit/sevenzip is at v1.6.0 (latest)
• bodgit/plumbing is at v1.3.0 (latest)
• bodgit/windows is at v1.0.1 (latest)
• sorairolake/lzip-go is at v0.3.5 (latest)
• Other dependencies are at their latest stable versions with no newer releases available

All compression-related dependencies are properly versioned and up-to-date. No security advisories or critical updates are pending.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check latest versions and security advisories for compression-related dependencies

# Check latest versions on pkg.go.dev
echo "Checking latest versions..."
for pkg in "github.com/mholt/archives" "github.com/STARRY-S/zip" "github.com/bodgit/plumbing" "github.com/bodgit/sevenzip" "github.com/bodgit/windows" "github.com/hashicorp/errwrap" "github.com/hashicorp/go-multierror" "github.com/klauspost/compress" "github.com/nwaples/rardecode/v2" "github.com/pierrec/lz4/v4" "github.com/sorairolake/lzip-go" "github.com/therootcompany/xz"
do
  curl -s "https://pkg.go.dev/$pkg" | grep -A 1 "Latest version"
done

# Check for security advisories
for pkg in ${pkgs[@]}; do
  gh api graphql -f query='
  {
    securityVulnerabilities(first: 5, ecosystem: GO, package: "'$pkg'") {
      nodes {
        advisory {
          summary
          severity
          publishedAt
        }
        vulnerableVersionRange
        firstPatchedVersion {
          identifier
        }
      }
    }
  }'
done

Length of output: 5650

---

Script:

#!/bin/bash
# Check go.mod for current versions
echo "Current versions in go.mod:"
cat go.mod | grep -A 1 -E "github.com/(mholt/archives|STARRY-S/zip|bodgit/plumbing|bodgit/sevenzip|bodgit/windows|hashicorp/errwrap|hashicorp/go-multierror|klauspost/compress|nwaples/rardecode|pierrec/lz4|sorairolake/lzip-go|therootcompany/xz)"

# Use go list to check latest versions
echo -e "\nLatest versions from go list:"
for pkg in "github.com/mholt/archives" "github.com/STARRY-S/zip" "github.com/bodgit/plumbing" "github.com/bodgit/sevenzip" "github.com/bodgit/windows" "github.com/hashicorp/errwrap" "github.com/hashicorp/go-multierror" "github.com/klauspost/compress" "github.com/nwaples/rardecode/v2" "github.com/pierrec/lz4/v4" "github.com/sorairolake/lzip-go" "github.com/therootcompany/xz"
do
  go list -m -versions $pkg 2>/dev/null || true
done

Length of output: 6732

---

Script:

#!/bin/bash
# Check latest releases on GitHub
for repo in "mholt/archives" "STARRY-S/zip" "bodgit/plumbing" "bodgit/sevenzip" "bodgit/windows" "hashicorp/errwrap" "hashicorp/go-multierror" "klauspost/compress" "nwaples/rardecode" "pierrec/lz4" "sorairolake/lzip-go" "therootcompany/xz"; do
    echo "Latest release for $repo:"
    gh api repos/$repo/releases/latest --jq '.tag_name, .published_at' 2>/dev/null || echo "No releases found"
    echo "---"
done

# Also check the commit history for mholt/archives since it's using a commit hash
echo "Latest commits for mholt/archives:"
gh api repos/mholt/archives/commits --jq '.[0:3] | .[] | {sha: .sha[0:10], date: .commit.author.date, message: .commit.message}' 2>/dev/null

Length of output: 6939

[coderabbitai]

Actionable comments posted: 0

🔭 Outside diff range comments (2)

pkg/protocols/file/request.go (2)

Line range hint 108-134: Add memory limits for decompression.

The decompression logic should include memory limits to prevent zip bomb attacks.

 case archives.Decompressor:
   request.options.Progress.AddToTotal(1)
+  const maxDecompressedSize = 1 << 30 // 1GB limit
+  var totalBytesRead int64
   reader, err := archiveInstance.OpenReader(stream)
   if err != nil {
     gologger.Error().Msgf("%s\n", err)
     request.options.Progress.IncrementFailedRequestsBy(1)
     return
   }
   fileStat, _ := fi.Stat()
   tmpFileOut, err := os.CreateTemp("", "")
   if err != nil {
     gologger.Error().Msgf("%s\n", err)
     request.options.Progress.IncrementFailedRequestsBy(1)
     return
   }
   defer tmpFileOut.Close()
   defer os.RemoveAll(tmpFileOut.Name())
-  _, err = io.Copy(tmpFileOut, reader)
+  _, err = io.Copy(tmpFileOut, io.LimitReader(reader, maxDecompressedSize))
   if err != nil {
     gologger.Error().Msgf("%s\n", err)
     request.options.Progress.IncrementFailedRequestsBy(1)
     return
   }

---

Line range hint 70-107: Add validation for archive paths.

The archive extraction should validate paths to prevent directory traversal attacks.

 case format != nil:
   switch archiveInstance := format.(type) {
   case archives.Extractor:
     err := archiveInstance.Extract(input.Context(), stream, func(ctx context.Context, file archives.FileInfo) error {
+      // Prevent directory traversal
+      if strings.Contains(file.Name(), "..") {
+        return fmt.Errorf("invalid path: %s", file.Name())
+      }
       if !request.validatePath("/", file.Name(), true) {
         return nil
       }

🧹 Nitpick comments (5)

pkg/protocols/file/request_test.go (4)

25-35: Consider using defer for cleanup in zipFile.

The implementation looks good with proper error handling. However, consider using defer w.Close() right after creating the writer to ensure cleanup in case of panics.

 func zipFile(t *testing.T, fileName string, data []byte) []byte {
   var b bytes.Buffer
   w := zip.NewWriter(&b)
+  defer w.Close()
   w1, err := w.Create(fileName)
   require.NoError(t, err)
   _, err = w1.Write(data)
   require.NoError(t, err)
-  err = w.Close()
-  require.NoError(t, err)
   return b.Bytes()
 }

---

37-45: Consider using defer for cleanup in gzipFile.

Similar to the zipFile function, consider using defer w.Close() right after creating the writer.

 func gzipFile(t *testing.T, data []byte) []byte {
   var b bytes.Buffer
   w := gzip.NewWriter(&b)
+  defer w.Close()
   _, err := w.Write(data)
   require.NoError(t, err)
-  err = w.Close()
-  require.NoError(t, err)
   return b.Bytes()
 }

---

50-67: Add test case descriptions and edge cases.

Consider adding descriptions for each test case and including edge cases:

1. Add comments describing the purpose of each test case
2. Consider adding edge cases like:
   • Empty files
   • Large files
   • Files with special characters in names
   • Nested archives (zip containing gzip)

 var testCases = []struct {
   fileName string
   data     []byte
+  description string  // Add description field
 }{
   {
     fileName: testCaseBaseFilename,
     data:     testCaseBase,
+    description: "Plain text file",
   },
   {
     fileName: testCaseBaseFilename + ".gz",
     data:     gzipFile(t, testCaseBase),
+    description: "GZIP compressed file",
   },
   {
     fileName: "config.yaml.zip",
     data:     zipFile(t, testCaseBaseFilename, testCaseBase),
+    description: "ZIP archive with single file",
   },
+  {
+    fileName: "empty.yaml",
+    data:     []byte{},
+    description: "Empty file",
+  },
 }

---

103-113: Ensure proper cleanup of temporary files.

While defer os.RemoveAll(tempDir) is used, consider adding error handling for file operations and using a cleanup function to ensure all resources are properly released.

+  cleanup := func() {
+    if err := os.RemoveAll(tempDir); err != nil {
+      t.Errorf("Failed to cleanup temporary directory: %v", err)
+    }
+  }
   tempDir, err := os.MkdirTemp("", "test-*")
   require.Nil(t, err, "could not create temporary directory")
-  defer os.RemoveAll(tempDir)
+  defer cleanup()

pkg/protocols/file/request.go (1)

62-84: Consider adding context timeout for archive operations.

The archive identification and processing could benefit from a timeout context to prevent hanging on malicious or corrupted archives.

+  ctx, cancel := context.WithTimeout(input.Context(), 30*time.Second)
+  defer cancel()
   fi, err := os.Open(filePath)
   if err != nil {
     gologger.Error().Msgf("%s\n", err)
     return
   }
   defer fi.Close()
-  format, stream, _ := archives.Identify(input.Context(), filePath, fi)
+  format, stream, err := archives.Identify(ctx, filePath, fi)
+  if err != nil {
+    gologger.Error().Msgf("Failed to identify archive format: %s\n", err)
+    return
+  }

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ca5a26b and cf33607.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• go.mod (10 hunks)
• pkg/protocols/file/request.go (4 hunks)
• pkg/protocols/file/request_test.go (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• go.mod

[AdallomRoy]

@dogancanbakir the linting errors here are related to the go 1.22 upgrade that is required because archives is a go 1.22 lib - it's all ast.Package usage that was deprecated in 1.22 and it used in a tool and not actually in nuclei.
Question is if you're even open to upgrading to 1.22 and if yes should I resolve those, is that tool important enough.
Thanks.

[dwisiswant0]

What CVE?

[dogancanbakir]

@AdallomRoy I don't see a reason why we shouldn't upgrade to a newer version. Could you make the necessary changes? toda!

[AdallomRoy]

CVE-2024-0406 (https://nvd.nist.gov/vuln/detail/cve-2024-0406) - no fix.

[dwisiswant0]

After looking into it, it seems like we're not directly affected by GO-2024-2698.

From what I can see in the PR mholt/archiver#396, the issue specifically affects the archiver.Tar functionality, which invokes the Unarchive method (tar.untarNext -> tar.untarFile -> writeNewSymbolicLink). However, in our current implementation, we are using walker.Walk (https://github.com/mholt/archiver/blob/v3.1.1/tar.go#L430), which only walks through the filePaths without actually unpacking them.

Based on this observation, I would say the risk level here is quite tolerable. The potentially vulnerable code doesn't seem to be actively used in our context. Of course, this assessment could change if someone provides a reproducible PoC that demonstrates the vulnerability in our specific implementation (in the file-protocol-based template). Until then, it doesn't look like we're significantly at risk.

[AdallomRoy]

I agree, I wasn't trying to imply that you are currently vulnerable. but:

• The library is deprecated and not maintained
• Someone can start using the vulnerable code path, and it will not trigger any new warning (as this is an existing import)
• Users of the code are subject to compliance which is many cases requires resolution of vulns regardless of explanations on how or if it can be exploited.

Hope this makes sense.

[dwisiswant0]

@AdallomRoy understood. I came across a forked repo that appears to have implemented a patch for the issue - mholt/archiver#396 (comment), and wondering whether the patch would be fully compatible with our setup (w/o need to bump current Go version)? This could be worth exploring to ensure it integrates smoothly without introducing additional dependencies or compatibility issues.

[AdallomRoy]

I think anyone who's importing your library would have to replace it as well.
anyway I think it's also a good option, but you would still be using a deprecated unmaintained library, at some point an upgrade would be required anyway.

[dogancanbakir]

+1 for not using unmaintained library.

[AdallomRoy]

Hey - I'm just waiting for your decision on this in order to invest more time and make sure everything is working well

[dogancanbakir]

@AdallomRoy, Thank you for following up! Please continue. We have a minor concern about whether the Go version update will cause any issues, but aside from that, we're OK with the library change.

Small note: We also need to bump the Go version in GitHub Actions.

[dwisiswant0]

We also need to bump the Go version in GitHub Actions.

Also in the Dockerfile & README_*.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (7)

pkg/js/devtools/scrapefuncs/main.go (3)

56-56: Remove commented-out code for clarity.

The commented-out line //for _, pkg := range pkgs { is no longer needed and can be removed to improve code readability.

Apply this diff to remove the commented-out code:

- //for _, pkg := range pkgs {

---

59-62: Improve error handling when reading directories.

Instead of printing the error and returning, consider using log.Fatalf or returning the error to provide better context and ensure the program exits appropriately on failure.

Apply this diff to enhance error handling:

     list, err := os.ReadDir(dir)
     if err != nil {
-        fmt.Println(err)
-        return
+        log.Fatalf("Failed to read directory %s: %v", dir, err)
     }

---

74-77: Improve error handling when parsing files.

Printing errors to standard output and returning may not provide sufficient context. Consider using log.Fatalf to log the error and exit the program.

Apply this diff to enhance error handling:

     if err != nil {
-        fmt.Println(err)
-        return
+        log.Fatalf("Failed to parse file %s: %v", filepath.Join(dir, f.Name()), err)
     }

pkg/protocols/file/request_test.go (2)

103-105: Avoid deferring os.RemoveAll inside a loop to prevent resource accumulation.

Deferring os.RemoveAll(tempDir) inside a loop can lead to increased memory usage if the loop has many iterations. It's better to clean up the temporary directory immediately after each test iteration.

Apply this diff to clean up after each iteration:

     tempDir, err := os.MkdirTemp("", "test-*")
     require.Nil(t, err, "could not create temporary directory")
-    defer os.RemoveAll(tempDir)
     // ... test logic ...
+    err = os.RemoveAll(tempDir)
+    require.Nil(t, err, "could not remove temporary directory")

---

69-69: Clone options inside the loop to prevent side effects.

Reusing the options variable may cause unintended side effects between test cases. Consider cloning or resetting options for each iteration to ensure test isolation.

Apply this diff to clone options:

     for _, tt := range testCases {
-        options := testutils.DefaultOptions
+        options := testutils.DefaultOptions.Clone()

pkg/protocols/file/request.go (2)

Line range hint 108-151: Standardize error handling messages.

Consider standardizing error messages for consistency. Currently, some errors are logged with just %s\n while others include more context.

Example improvement:

-gologger.Error().Msgf("%s\n", err)
+gologger.Error().Msgf("Failed to process compressed file %s: %v", filePath, err)

---

Line range hint 118-128: Consider using os.MkdirTemp for better isolation.

While the current temporary file handling is functional, using os.MkdirTemp instead of os.CreateTemp would provide better isolation for the extracted files.

Example improvement:

-tmpFileOut, err := os.CreateTemp("", "")
+tmpDir, err := os.MkdirTemp("", "nuclei-extract-*")
+if err != nil {
+    gologger.Error().Msgf("Failed to create temp directory: %v", err)
+    request.options.Progress.IncrementFailedRequestsBy(1)
+    return
+}
+defer os.RemoveAll(tmpDir)
+tmpFileOut, err := os.CreateTemp(tmpDir, "file-*")

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cf33607 and 73b0d53.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (5)

• go.mod (10 hunks)
• pkg/js/devtools/bindgen/generator.go (4 hunks)
• pkg/js/devtools/scrapefuncs/main.go (2 hunks)
• pkg/protocols/file/request.go (4 hunks)
• pkg/protocols/file/request_test.go (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• go.mod

🔇 Additional comments (12)

pkg/js/devtools/bindgen/generator.go (6)

134-137: Add check for empty package list.

Good job adding a check to handle cases where no packages are found. This prevents possible nil pointer dereferences later in the code.

---

196-197: Update gatherPackageData to accept ast.Node.

Changing the parameter to ast.Node makes the function more flexible and allows for broader usage across different AST nodes.

---

245-245: Update function call to match new parameter type.

Adjusting the identifyGenDecl call to pass astNode aligns with the updated function signature.

---

251-251: Modify identifyGenDecl to accept ast.Node.

Updating the parameter improves the function's flexibility and consistency with gatherPackageData.

---

282-282: Update function call in gatherPackageData.

Calling collectStructFuncsFromAST with the appropriate node enhances the correctness of the AST traversal.

---

289-290: Refactor collectStructFuncsFromAST to use ast.Node.

Adjusting the function signature allows for a more general AST inspection, improving code maintainability.

pkg/protocols/file/request_test.go (3)

25-35: Ensure proper error handling in zipFile function.

Good job checking and handling errors after writing data to the zip writer. This ensures that partial writes or I/O issues are caught.

---

37-45: Verify error handling in gzipFile function.

Excellent work adding error checks after writing to the gzip writer, which helps in identifying any issues during compression.

---

110-113: Check for write errors when creating test files.

While error checks are present, ensure that all possible errors during file creation are properly handled to prevent test failures.

pkg/protocols/file/request.go (3)

13-13: LGTM! Successfully migrated to the new archives library.

The change from mholt/archiver to mholt/archives addresses the security vulnerability (CVE-2024-0406) mentioned in the PR objectives.

---

62-68: LGTM! Improved file handling with better error management.

The new implementation:

• Uses direct file operations with proper error handling
• Implements explicit archive identification using the new library
• Includes appropriate cleanup with deferred close

---

Line range hint 70-107: LGTM! Robust archive extraction implementation.

The new implementation properly handles archive extraction using the type-safe archives.Extractor interface, with appropriate error handling and progress tracking.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

pkg/js/devtools/scrapefuncs/main.go (1)

Line range hint 79-120: Add validation for helper function fields.

The helper function fields are added to the map without validation. Consider adding checks for empty or malformed fields.

Example validation:

 							if hf.Name != "" {
+								if strings.TrimSpace(hf.Description) == "" {
+									fmt.Printf("Warning: Empty description for helper function %s\n", hf.Name)
+								}
+								if len(hf.Signatures) == 0 {
+									fmt.Printf("Warning: No signatures for helper function %s\n", hf.Name)
+								}
 								identifier := pkg2NameMapping[astFile.Name.Name]

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 73b0d53 and a7dbdd5.

📒 Files selected for processing (1)

• pkg/js/devtools/scrapefuncs/main.go (2 hunks)

🔇 Additional comments (1)

pkg/js/devtools/scrapefuncs/main.go (1)

54-55: LGTM: Clean variable declaration.

The map initialization is well-structured for storing helper functions by their package identifiers.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

pkg/js/devtools/scrapefuncs/main.go (1)

111-113: ⚠️ Potential issue

Sanitize directory paths in identifiers.

Using raw directory paths in identifiers could expose sensitive information in the generated documentation.

Apply this diff to sanitize the path:

-									identifier = astFile.Name.Name + "  (" + dir + ")"
+									identifier = astFile.Name.Name + "  (" + filepath.Base(dir) + ")"

🧹 Nitpick comments (2)

README.md (1)

16-16: LGTM! Go version badge updated.

The Go version badge has been correctly updated to reflect the new version requirement.

Consider adding alt text to the badge image for better accessibility:

-<img src="https://img.shields.io/badge/go-1.22-%2300ADD8.svg?style=for-the-badge&logo=go&logoColor=white">
+<img src="https://img.shields.io/badge/go-1.22-%2300ADD8.svg?style=for-the-badge&logo=go&logoColor=white" alt="Go Version: 1.22">

🧰 Tools

🪛 Markdownlint (0.37.0)

16-16: null
Images should have alternate text (alt text)

(MD045, no-alt-text)

pkg/js/devtools/scrapefuncs/main.go (1)

63-81: Consider more graceful error handling.

While error handling is present, the current implementation immediately returns on errors, which might leave the process incomplete. Consider:

1. Logging the error and continuing to process remaining files
2. Collecting errors and reporting them all at once

Example improvement:

-		list, err := os.ReadDir(dir)
-		if err != nil {
-			fmt.Println(err)
-			return
-		}
+		list, err := os.ReadDir(dir)
+		if err != nil {
+			fmt.Printf("Error reading directory %s: %v\n", dir, err)
+			continue
+		}

-			astFile, err := parser.ParseFile(fset, filepath.Join(dir, f.Name()), nil, parser.AllErrors|parser.SkipObjectResolution)
-			if err != nil {
-				fmt.Println(err)
-				return
-			}
+			astFile, err := parser.ParseFile(fset, filepath.Join(dir, f.Name()), nil, parser.AllErrors|parser.SkipObjectResolution)
+			if err != nil {
+				fmt.Printf("Error parsing file %s: %v\n", f.Name(), err)
+				continue
+			}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a7dbdd5 and 5bd81aa.

📒 Files selected for processing (9)

• Dockerfile (1 hunks)
• README.md (2 hunks)
• README_CN.md (1 hunks)
• README_ES.md (1 hunks)
• README_ID.md (1 hunks)
• README_JP.md (1 hunks)
• README_KR.md (1 hunks)
• go.mod (10 hunks)
• pkg/js/devtools/scrapefuncs/main.go (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• go.mod

🧰 Additional context used

🪛 Markdownlint (0.37.0)

README.md

16-16: null
Images should have alternate text (alt text)

(MD045, no-alt-text)

⏰ Context from checks skipped due to timeout of 90000ms (3)

• GitHub Check: Tests (macOS-latest)
• GitHub Check: Tests (windows-latest)
• GitHub Check: Tests (ubuntu-latest)

🔇 Additional comments (9)

Dockerfile (1)

2-2: LGTM! Base image updated to Go 1.22

The update from golang:1.21-alpine to golang:1.22-alpine aligns with the Go version upgrade across the project.

README_JP.md (1)

55-55: LGTM! Go version requirement updated

The Go version requirement has been correctly updated to 1.22 in the Japanese documentation.

README_CN.md (1)

61-61: LGTM! Go version requirement updated

The Go version requirement has been correctly updated to 1.22 in the Chinese documentation.

README_KR.md (1)

54-54: LGTM! Go version requirement updated

The Go version requirement has been correctly updated to 1.22 in the Korean documentation.

README_ES.md (1)

58-58: LGTM! Go version requirement updated

The Go version requirement has been correctly updated to 1.22 in the Spanish documentation.

README_ID.md (1)

56-56: LGTM! Go version requirement updated.

The Go version requirement has been correctly updated from 1.21 to 1.22, which aligns with the project's migration needs.

README.md (1)

113-113: LGTM! Go version requirement updated.

The Go version requirement has been correctly updated from 1.21 to 1.22, which aligns with the project's migration needs.

pkg/js/devtools/scrapefuncs/main.go (2)

46-49: LGTM: Proper error handling implemented.

The error handling for filepath.WalkDir has been correctly implemented, preventing silent failures during directory traversal.

---

58-58: LGTM: Clean map initialization.

The initialization of dslHelpers follows Go best practices.