1.12.0 preparation

[wollomatic]

Summary by CodeRabbit

Release Notes

• New Features

  • Added support for multiple allowlist patterns per HTTP method across command-line flags, environment variables, and Docker labels.
  • Introduced new -shutdowngracetime parameter for shutdown configuration.

• Documentation

  • Updated documentation for version 1.12.0 with allowlist pattern examples and configuration guidance.

• Chores

  • Updated build base image and workflow dependencies to latest stable versions.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ef12c0bf-6fc7-42de-ac41-592965a54a42

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch main

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@internal/config/config_test.go`:
- Around line 102-117: The helper regexMapsEqual is flaky because it compares
slices positionally (aRegexes[i] vs bRegexes[i]) while the source
(extractLabelData iterating cntr.Labels) can produce regexes in different
orders; update regexMapsEqual to normalize both slices before comparison by
building slices of the regex string representations for each method, sorting
them (e.g., sort.Strings) and then comparing lengths and each element, ensuring
the comparison uses ar.String() values rather than relying on original slice
order.

In `@internal/config/config.go`:
- Around line 693-699: The allowSpec parsing currently uses slices.ContainsFunc
with strings.HasPrefix which lets tokens like "GETTING" match "GET" and then
stores a regex under the wrong method; change parsing to split allowSpec on '.'
first (use strings.Cut or strings.SplitN) to extract the first token, validate
that exact token equals one of supportedHTTPMethods (not prefix-match), and only
then call compileRegexp(labelValue, method, "docker container label") and
proceed; update the code paths that reference allowSpec, supportedHTTPMethods,
method, labelValue, and compileRegexp so the extracted method is strictly
validated before compiling/storing the regex.

In `@README.md`:
- Around line 96-101: Reword the multi-value examples to be clearer and more
grammatical: replace awkward phrases like "use allow GET multiple times" with
explicit wording such as "supports using -allowGET multiple times" and change
"can set multiple -allow*" to "supports multiple -allow* entries"; update the
specific example lines mentioning '-allowGET', 'SP_ALLOW_GET', 'SP_ALLOW_GET_2',
and 'SP_ALLOW_HEAD' (and the similar lines at 109-110) to use this clearer
phrasing so readers understand that multiple -allowGET flags or multiple
SP_ALLOW_GET environment variables are supported.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fbd04e42-3c78-4abb-bf81-c027cf46cb7f

📥 Commits

Reviewing files that changed from the base of the PR and between fb6d345 and cc17d0e.

📒 Files selected for processing (12)

• .github/workflows/dependency-review.yml
• Dockerfile
• README.md
• cmd/socket-proxy/handlehttprequest.go
• internal/config/config.go
• internal/config/config_test.go
• internal/config/env.go
• internal/config/env_test.go
• internal/config/param.go
• internal/docker/api/types/events/events.go
• internal/docker/api/types/filters/parse.go
• internal/go-connections/sockets/sockets.go

💤 Files with no reviewable changes (3)

• internal/go-connections/sockets/sockets.go
• internal/docker/api/types/events/events.go
• internal/docker/api/types/filters/parse.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

This helper makes Test_extractLabelData flaky.

extractLabelData() iterates cntr.Labels, so the order of GET regexes is not stable. Comparing aRegexes[i] to bRegexes[i] will intermittently fail when socket-proxy.allow.get.1 is visited before .0. Normalise the slices before comparing.

Proposed fix

 import (
 	"flag"
 	"math"
 	"os"
 	"reflect"
 	"regexp"
+	"slices"
 	"strconv"
 	"testing"
@@
 func regexMapsEqual(a, b map[string][]*regexp.Regexp) bool {
 	if len(a) != len(b) {
 		return false
 	}
 	for method, aRegexes := range a {
 		bRegexes, ok := b[method]
 		if !ok || len(aRegexes) != len(bRegexes) {
 			return false
 		}
-		for i, ar := range aRegexes {
-			if ar.String() != bRegexes[i].String() {
-				return false
-			}
-		}
+		aStrings := make([]string, len(aRegexes))
+		bStrings := make([]string, len(bRegexes))
+		for i, re := range aRegexes {
+			aStrings[i] = re.String()
+		}
+		for i, re := range bRegexes {
+			bStrings[i] = re.String()
+		}
+		slices.Sort(aStrings)
+		slices.Sort(bStrings)
+		if !reflect.DeepEqual(aStrings, bStrings) {
+			return false
+		}
 	}
 	return true
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/config/config_test.go` around lines 102 - 117, The helper
regexMapsEqual is flaky because it compares slices positionally (aRegexes[i] vs
bRegexes[i]) while the source (extractLabelData iterating cntr.Labels) can
produce regexes in different orders; update regexMapsEqual to normalize both
slices before comparison by building slices of the regex string representations
for each method, sorting them (e.g., sort.Strings) and then comparing lengths
and each element, ensuring the comparison uses ar.String() values rather than
relying on original slice order.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Make label-method matching exact, not prefix-based.

This accepts typos like socket-proxy.allow.getting because GETTING starts with GET, then stores the regex under method GETTING, which is silently ignored at request time. Split on . first and validate the extracted method token exactly against supportedHTTPMethods.

Proposed fix

-			if slices.ContainsFunc(supportedHTTPMethods, func(method string) bool {
-				// allowSpec starts with the method name like  socket-proxy.allow.get.1
-				return strings.HasPrefix(allowSpec, method)
-			}) {
-				// extract the method name from allowSpec
-				method, _, _ := strings.Cut(allowSpec, ".")
+			method, _, _ := strings.Cut(allowSpec, ".")
+			if slices.Contains(supportedHTTPMethods, method) {
 				r, err := compileRegexp(labelValue, method, "docker container label")
 				if err != nil {
 					return nil, nil, err
 				}
 				allowedRequests[method] = append(allowedRequests[method], r)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/config/config.go` around lines 693 - 699, The allowSpec parsing
currently uses slices.ContainsFunc with strings.HasPrefix which lets tokens like
"GETTING" match "GET" and then stores a regex under the wrong method; change
parsing to split allowSpec on '.' first (use strings.Cut or strings.SplitN) to
extract the first token, validate that exact token equals one of
supportedHTTPMethods (not prefix-match), and only then call
compileRegexp(labelValue, method, "docker container label") and proceed; update
the code paths that reference allowSpec, supportedHTTPMethods, method,
labelValue, and compileRegexp so the extracted method is strictly validated
before compiling/storing the regex.