chore: improve JSON schema + remove default forbid list

[nickdnk]

Remove default forbid array

Reason for This PR

address was specified as required in the JSON schema. It is not required, as you can use FCGI or HTTP3 instead.
The default "forbid" list would be populated even if you specified that all files are allowed (empty list). This is counter-intuitive, especially since the current default looks more like an example than a thorough list.

Description of Changes

Made address non-required in JSON schema.
Minor grammar cleanup in JSON schema.
Removed default list of forbidden files.

License Acceptance

By submitting this pull request, I confirm that my contribution is made under
the terms of the MIT license.

PR Checklist

[Author TODO: Meet these criteria.]
[Reviewer TODO: Verify that these criteria are met. Request changes if not]

• All commits in this PR are signed (git commit -s).
• The reason for this PR is clearly provided (issue no. or explanation).
• The description of changes is clear and encompassing.
• Any required documentation changes (code and docs) are included in this PR.
• Any user-facing changes are mentioned in CHANGELOG.md.
• All added/changed functionality is tested.

Summary by CodeRabbit

• New Features

  • Updated the uploads schema to modify disallowed file extensions and set default values for allowed files.

• Bug Fixes

  • Removed default population of the Forbid slice, ensuring it remains empty if no values are specified.

• Documentation

  • Enhanced descriptions in schema.json for better clarity on property functionalities and requirements.

[coderabbitai]

Walkthrough

The pull request modifies the InitDefaults method in the Uploads struct by removing the automatic population of the Forbid slice with default file extensions when it is empty. Additionally, the schema.json file has been updated to enhance property descriptions, remove the mandatory requirement for the address property, and adjust the forbid and allow properties in the Uploads definition. These changes clarify the schema and improve usability.

Changes

File	Change Summary
config/uploads.go	Removed automatic population of Forbid slice with default extensions when empty.
schema.json	- Removed required field for address. - Updated descriptions for multiple properties. - Modified forbid to include .sh and .go, removed .exe. - Set default value of allow to an empty array. - Revised SSL and FCGI property descriptions.
go.mod	Updated dependency versions for github.com/google/pprof and github.com/onsi/ginkgo/v2.
tests/go.mod	Updated dependency versions for multiple libraries including github.com/fsnotify/fsnotify and go.temporal.io/sdk.

Possibly related PRs

• chore: Fix invalid JSON schema validator #207: The changes in this PR update the forbid property in the Uploads definition of schema.json, which is directly related to the modifications made in the main PR regarding the initialization of the Forbid slice in the Uploads struct.

Poem

In the meadow where we play,
Changes hop along the way.
Forbid no more the files that creep,
Clarity in schema, a promise to keep.
With each update, we grow and thrive,
Bouncing forward, oh how we strive! 🐰✨

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 2c5a36e and 4f9115f.

⛔ Files ignored due to path filters (2)

• go.sum is excluded by !**/*.sum
• tests/go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• go.mod (1 hunks)
• tests/go.mod (4 hunks)

🔇 Additional comments (4)

go.mod (3)

50-50: LGTM: Minor version bump for Ginkgo testing framework.

The update from v2.20.2 to v2.21.0 follows semantic versioning and, being a testing framework, shouldn't affect production code.

---

42-42: LGTM: Minor update to pprof development snapshot.

The indirect dependency update to a newer development snapshot of pprof looks safe.

Let's verify there are no breaking changes:

✅ Verification successful

Dependency update to pprof is safe

The commits between versions only contain GitHub Actions workflow updates (checkout and setup-go actions), with no code changes that could affect runtime behavior.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for any major changes in the pprof dependency between versions

# Get the commit messages between the two versions to check for breaking changes
git fetch https://github.com/google/pprof.git
echo "Checking commits between 598669927662 and d1b30febd7db:"
git -C $(git rev-parse --show-toplevel) log --oneline 598669927662..d1b30febd7db

Length of output: 467

---

Line range hint 1-77: Verify: Additional files needed for complete review.

The PR objectives mention changes to JSON schema and removal of default forbid list, but these changes are not visible in the provided files.

Let's check for the relevant files:

✅ Verification successful

Changes to JSON schema and forbid list are present and verified.

The review comment's concerns have been addressed as both changes are present in the codebase:

1. JSON schema changes:

   • The schema.json file includes complete documentation for the forbid and allow properties under the Uploads definition
   • Both properties are properly defined with examples and descriptions

2. Default forbid list removal:

   • In config/uploads.go, there is no default forbid list
   • The InitDefaults() function only initializes empty maps for forbidden and allowed extensions
   • The actual forbid/allow lists are populated from user configuration

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Find schema and configuration related files that might contain the mentioned changes

# Look for JSON schema files
echo "JSON schema files:"
fd -e json -e jsonc --type f schema

# Look for Go files that might contain the forbid list logic
echo -e "\nGo files potentially containing forbid list:"
rg -l "(?i)forbid.*list|uploads.*forbid" -g "*.go"

Length of output: 329

---

Script:

#!/bin/bash
# Check the content of schema.json and relevant Go files for forbid list and schema changes

echo "=== Content of schema.json ==="
cat schema.json

echo -e "\n=== Checking forbid list in config/uploads.go ==="
cat config/uploads.go

echo -e "\n=== Checking forbid list in handler/uploads.go ==="
cat handler/uploads.go

echo -e "\n=== Checking forbid list in handler/request.go ==="
cat handler/request.go

echo -e "\n=== Checking forbid list in handler/handler.go ==="
cat handler/handler.go

Length of output: 33515

tests/go.mod (1)

46-46: LGTM! Dependency updates look safe.

The indirect dependency updates follow semantic versioning and appear to be routine maintenance updates:

• github.com/fsnotify/fsnotify: v1.7.0 → v1.8.0
• github.com/google/pprof: newer commit
• github.com/onsi/ginkgo/v2: v2.20.2 → v2.21.0
• github.com/valyala/fasthttp: v1.56.0 → v1.57.0
• go.temporal.io/sdk: v1.29.1 → v1.30.0

Let's verify that the test suite passes with these updates:

Also applies to: 54-54, 73-73, 104-104, 123-123

✅ Verification successful

Dependency updates are safe to proceed

The verification shows that none of the updated indirect dependencies (fsnotify, pprof, ginkgo, fasthttp, temporal) are directly imported in any test files. Since these are indirect dependencies and not actively used in the test code, the version bumps are low-risk changes that follow semantic versioning principles.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check if there are any test failures in the git history after dependency updates

# Look for test failures in recent commits
git log -p --grep="test.*fail" --since="1 week ago"

Length of output: 53

---

Script:

#!/bin/bash
# Let's verify if the test files import any of the updated packages

# Search for imports of updated packages in test files
echo "=== Searching for fsnotify imports in tests ==="
rg "github.com/fsnotify/fsnotify" -t go --glob "**/*_test.go"

echo -e "\n=== Searching for pprof imports in tests ==="
rg "github.com/google/pprof" -t go --glob "**/*_test.go"

echo -e "\n=== Searching for ginkgo imports in tests ==="
rg "github.com/onsi/ginkgo/v2" -t go --glob "**/*_test.go"

echo -e "\n=== Searching for fasthttp imports in tests ==="
rg "github.com/valyala/fasthttp" -t go --glob "**/*_test.go"

echo -e "\n=== Searching for temporal imports in tests ==="
rg "go.temporal.io/sdk" -t go --glob "**/*_test.go"

# Also check if there are any go.sum changes that might indicate breaking changes
echo -e "\n=== Checking go.sum changes ==="
git diff tests/go.sum

Length of output: 932

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)

schema.json (1)

248-249: Consider keeping ".exe" in the forbid examples.

While adding ".sh" and ".go" as examples is good, removing ".exe" from the examples might lead developers to overlook a common security concern. Executable files should typically be blocked in upload directories.

Consider updating the examples to include both:

 ".php",
 ".sh",
 ".go",
+".exe"

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 8982ed7 and 2c5a36e.

📒 Files selected for processing (2)

• config/uploads.go (0 hunks)
• schema.json (11 hunks)

💤 Files with no reviewable changes (1)

• config/uploads.go

🔇 Additional comments (4)

schema.json (4)

10-10: LGTM! Description improvements enhance clarity.

The updates to field descriptions provide better context and accurately reflect the behavior of each configuration option. The removal of the "required" constraint for the address field is correct since it's optional when using FCGI or HTTP3.

Also applies to: 19-19, 26-26, 32-32, 42-42, 60-60

---

292-292: LGTM! Improved SSL configuration clarity.

The updated descriptions clearly explain the mutual exclusivity between manual SSL configuration (key/cert) and ACME, helping prevent configuration errors.

Also applies to: 355-355, 363-363, 371-371

---

396-396: LGTM! Enhanced FCGI configuration documentation.

The updates provide clearer guidance on FCGI configuration with comprehensive examples, including Unix socket support.

Also applies to: 401-408

---

427-427: LGTM! Clarified HTTP2 streams configuration.

The description now clearly states the default behavior when the value is omitted or set to zero.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)

schema.json (1)

231-231: Security enhancement: Explicit forbidden file types

Good changes that:

1. Remove the confusing default forbid list (aligns with PR objectives)
2. Explicitly forbid potentially dangerous file types (.sh, .go)

Consider also forbidding other potentially dangerous extensions like .bash, .zsh, .pl, .py to prevent execution of arbitrary scripts.

Also applies to: 248-249

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 8982ed7 and 2c5a36e.

📒 Files selected for processing (2)

• config/uploads.go (0 hunks)
• schema.json (11 hunks)

💤 Files with no reviewable changes (1)

• config/uploads.go

🔇 Additional comments (5)

schema.json (5)

10-10: LGTM: Description improvements enhance clarity

The updates to property descriptions provide better clarity about:

• Optional nature of the address field (aligns with PR objectives)
• Default values and behaviors
• Conditions under which properties apply

Also applies to: 19-19, 26-26, 32-32, 42-42, 60-60

---

292-292: LGTM: Better clarity on SSL configuration options

The updated descriptions clearly indicate the mutual exclusivity between ACME and manual certificate configuration, preventing potential misconfigurations.

Also applies to: 355-355, 363-363, 371-371

---

396-396: LGTM: FCGI configuration clarity improved

The updates provide better clarity about:

• Optional nature of FCGI support
• Various supported address formats including Unix sockets

Also applies to: 401-408

---

427-427: LGTM: HTTP/2 defaults clarified

The description now clearly states the default value for max_concurrent_streams when omitted or zero.

---

Line range hint 1-479: Verify schema validity

Let's ensure the schema is valid according to JSON Schema draft 2019-09.

✅ Verification successful

Schema validation successful

The schema validation checks reveal:

1. All enum definitions are properly structured with string values and valid options
2. Type definitions are consistent across the schema
3. The schema follows JSON Schema draft 2019-09 format

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Validate the JSON schema against draft 2019-09
# Expected result: No errors in schema validation

# Check if the schema is valid JSON
if ! jq empty schema.json; then
    echo "Error: Invalid JSON syntax"
    exit 1
fi

# Check if the schema follows draft 2019-09 rules
# Note: This is a basic check. A full validator would be better but isn't available in the sandbox
if ! jq '.["$schema"] == "https://json-schema.org/draft/2019-09/schema"' schema.json > /dev/null; then
    echo "Error: Schema doesn't declare draft 2019-09"
    exit 1
fi

# Check for common schema issues
jq '
  def check_descriptions:
    .. | select(type == "object") | 
    select(has("description") and (.description | type != "string")) |
    "Invalid description type";

  def check_examples:
    .. | select(type == "object") |
    select(has("examples") and (.examples | type != "array")) |
    "Invalid examples type";

  check_descriptions, check_examples
' schema.json

Length of output: 481

---

Script:

#!/bin/bash
# Let's perform more specific schema validation checks

# Check for required fields in objects that need them
echo "=== Checking required fields ==="
jq -r '
paths as $p |
select(getpath($p) | type == "object" and has("required")) |
[$p[], .required[]] | join("/")
' schema.json

# Check for proper type definitions
echo -e "\n=== Checking type definitions ==="
jq -r '
paths as $p |
select(getpath($p) | type == "object" and has("type")) |
[$p[], .type] | join(": ")
' schema.json

# Check for proper enum values
echo -e "\n=== Checking enum definitions ==="
jq -r '
paths as $p |
select(getpath($p) | type == "object" and has("enum")) |
[$p[], (.enum | tostring)] | join(": ")
' schema.json

# Check for proper references
echo -e "\n=== Checking $ref definitions ==="
jq -r '
paths as $p |
select(getpath($p) | type == "string" and startswith("#")) |
. as $ref |
$p | join("/")
' schema.json

Length of output: 4051

---

Script:

#!/bin/bash
# Let's verify the schema references and enum values more thoroughly

# Check if all internal references are valid
echo "=== Checking internal references ==="
jq -r '
def collect_refs:
  . as $root |
  [paths(.$ref?) | 
   select(getpath(.) | startswith("#")) as $ref |
   {
     "path": (. | join("/")),
     "ref": getpath(.)
   }] |
  map(. as $item |
    ($item.ref | split("/")[1:] | reduce .[] as $seg (""; . + "/" + $seg)) as $normalized_ref |
    if $root | has($normalized_ref[1:]) then
      $item.path + ": OK"
    else
      $item.path + ": INVALID REF - " + $item.ref
    end
  )[];
collect_refs
' schema.json

# Validate enum values in detail
echo -e "\n=== Checking enum values in detail ==="
jq -r '
paths(select(type == "object" and has("enum"))) as $p |
{
  "path": $p | join("/"),
  "type": getpath($p).type,
  "enum": getpath($p).enum
} | "Path: \(.path)\nType: \(.type)\nEnum values: \(.enum | tostring)\n"
' schema.json

# Check for any inconsistencies in type definitions
echo -e "\n=== Checking type consistency ==="
jq -r '
paths(select(type == "object" and has("type"))) as $p |
{
  "path": $p | join("/"),
  "type": getpath($p).type,
  "has_items": has("items"),
  "has_properties": has("properties")
} | select(
  (.type == "array" and (has_items | not)) or
  (.type == "object" and (has_properties | not))
) | "Potential issue at \(.path): type=\(.type)"
' schema.json

Length of output: 2327

[rustatian]

LGTM, thanks @nickdnk 👍