Skip to content

sanitize param names for http.ServeMux since they must be valid Go identifiers#2279

Merged
mromaszewicz merged 3 commits into
oapi-codegen:mainfrom
mromaszewicz:fix/issue-2278
Apr 29, 2026
Merged

sanitize param names for http.ServeMux since they must be valid Go identifiers#2279
mromaszewicz merged 3 commits into
oapi-codegen:mainfrom
mromaszewicz:fix/issue-2278

Conversation

@mromaszewicz

@mromaszewicz mromaszewicz commented Mar 5, 2026

Copy link
Copy Markdown
Member

Go's net/http ServeMux requires wildcard segment names to be valid Go identifiers. OpenAPI specs can use path parameter names containing dashes (e.g. "addressing-identifier"), which causes a panic when registering routes with ServeMux.

Fix by sanitizing parameter names in the stdhttp code path:

  • SwaggerUriToStdHttpUri now sanitizes param names via SanitizeGoIdentity so route patterns use valid Go identifiers (e.g. {addressing_identifier})
  • stdhttp middleware template uses new SanitizedParamName for r.PathValue() calls to match the sanitized route pattern, while keeping the original ParamName for error messages
  • Add SanitizedParamName() method to ParameterDefinition for use by templates that need the sanitized form

Add server-specific test directory with per-router integration tests exercising dashed path parameter names. Right now, only stdhttp has a test in this directory, but we'll do router specific tests in there in the future.

Fixes #2278

@mromaszewicz mromaszewicz requested a review from a team as a code owner March 5, 2026 19:16
@mromaszewicz mromaszewicz added the bug Something isn't working label Mar 5, 2026
@mromaszewicz @claude
sanitize param names for http.ServeMux
730c94f 
Go's net/http ServeMux requires wildcard segment names to be valid Go
identifiers. OpenAPI specs can use path parameter names containing
dashes (e.g. "addressing-identifier"), which causes a panic when
registering routes with ServeMux.

Fix by sanitizing parameter names in the stdhttp code path:

- SwaggerUriToStdHttpUri now sanitizes param names via SanitizeGoIdentity
  so route patterns use valid Go identifiers (e.g. {addressing_identifier})
- stdhttp middleware template uses new SanitizedParamName for r.PathValue()
  calls to match the sanitized route pattern, while keeping the original
  ParamName for error messages
- Add SanitizedParamName() method to ParameterDefinition for use by
  templates that need the sanitized form

Add server-specific test directory with per-router integration tests
exercising dashed path parameter names. Right now, only stdhttp has
a test in this directory, but we'll do router specific tests in there
in the future.

Fixes oapi-codegen#2278

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@mromaszewicz

mromaszewicz commented Mar 5, 2026

Copy link
Copy Markdown
Member Author

@greptileai

@greptile-apps

greptile-apps Bot commented Mar 5, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR fixes a runtime panic caused by OpenAPI path parameters with dashes (e.g. addressing-identifier) being passed as-is to Go's net/http ServeMux, which requires wildcard segment names to be valid Go identifiers.

Key changes:

  • Introduces SanitizeGoIdentifier (replaces illegal runes with _, intentionally does not prefix Go keywords) extracted from the existing SanitizeGoIdentity.
  • SwaggerUriToStdHttpUri now sanitizes each wildcard name via SanitizeGoIdentifier.
  • The stdhttp middleware template uses the new SanitizedParamName() method for r.PathValue() calls while preserving the original ParamName in error messages.
  • Adds an integration test in internal/test/server-specific/stdhttp/ that exercises the dashed-param scenario end-to-end.

The core fix is correct and well-structured. Two things worth attention:

  • Name-collision risk: two OpenAPI parameters whose names differ only in illegal characters (e.g. my-param and my_param) will sanitize to the same string. ServeMux panics at startup when a pattern contains duplicate wildcard names; this edge case is currently undetected during code generation.
  • SanitizeGoIdentifier lacks direct unit tests: it is only covered indirectly through SwaggerUriToStdHttpUri, making future regressions harder to catch.

Confidence Score: 4/5

  • Safe to merge; the core fix is correct and well-tested, with one edge-case collision risk that is unlikely in real-world specs.
  • The fix correctly addresses the reported panic, the template changes are minimal and accurate, and an integration test validates the happy path. The score is 4 rather than 5 because of the unhandled sanitization-collision edge case (duplicate wildcard names causing a ServeMux panic) and the absence of direct unit tests for the new SanitizeGoIdentifier helper.
  • pkg/codegen/utils.go — the SwaggerUriToStdHttpUri sanitization logic and the new SanitizeGoIdentifier function.

Important Files Changed
Filename Overview
pkg/codegen/utils.go Introduces SanitizeGoIdentifier (no keyword-prefixing) extracted from SanitizeGoIdentity, and updates SwaggerUriToStdHttpUri to sanitize wildcard names via a double-regex pattern; logic is correct but an edge-case name collision risk exists.
pkg/codegen/operations.go Adds SanitizedParamName() method to ParameterDefinition, correctly delegating to SanitizeGoIdentifier; straightforward and safe.
pkg/codegen/templates/stdhttp/std-http-middleware.tmpl Updates the three path-param extraction paths (PassThrough, Json, Styled) to call r.PathValue with .SanitizedParamName while keeping .ParamName in error messages; correct.
pkg/codegen/utils_test.go New assertions cover the dashed-param sanitization and the Go-keyword pass-through case for SwaggerUriToStdHttpUri; SanitizeGoIdentifier itself has no direct unit tests.
internal/test/server-specific/stdhttp/server_test.go Integration test exercises the dashed-param scenario end-to-end; correctly asserts HTTP 200 and proper param extraction.

Last reviewed commit: 730c94f

greptile-apps[bot]
greptile-apps Bot reviewed Mar 5, 2026
View reviewed changes
Comment thread pkg/codegen/utils.go
@mromaszewicz mromaszewicz added this to the v2.7.0 milestone Apr 21, 2026
@mromaszewicz mromaszewicz merged commit f0626c2 into oapi-codegen:main Apr 29, 2026
17 checks passed
@mromaszewicz mromaszewicz deleted the fix/issue-2278 branch April 29, 2026 15:39
@mromaszewicz mromaszewicz changed the title sanitize param names for http.ServeMux sanitize param names for http.ServeMux since they must be valid Go identifiers May 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jamietanna jamietanna jamietanna left review comments

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

v2.7.0

Development

Successfully merging this pull request may close these issues.

stdhttp requires param names to be valid go identifiers

2 participants

@mromaszewicz @jamietanna