✨ DecodeOptions.strictDepth option to throw when input is beyond depth

[techouse]

Description

This PR adds DecodeOptions.strictDepth to enforce throwing when input depth is beyond the depth option.

Defaults to false.

Throws RangeError.

If depth has been set by the user to 0, we do not throw, but fallback to the previous behaviour.

Type of change

• New feature (non-breaking change which adds functionality)

How Has This Been Tested?

Added additional tests

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

---

Ref ljharb/qs#511

[coderabbitai]

Walkthrough

The recent changes enhance the decode functionality by introducing a strictDepth option, allowing users to set depth limits for nested input parsing. When enabled, exceeding this limit results in a RangeError, thereby improving security by preventing excessive nesting. The modifications also include comprehensive documentation and testing to ensure correct behaviour, reinforcing both configurability and error handling in the decoding process.

Changes

Files	Change Summary
README.md	Introduced DecodeOptions.strictDepth to enforce depth limits in parsing with added documentation.
lib/src/extensions/decode.dart	Added conditional checks for strictDepth to throw RangeError when depth limits are exceeded.
lib/src/models/decode_options.dart	Added strictDepth boolean property to DecodeOptions with documentation and updated constructor.
test/unit/decode_test.dart	Added tests for strictDepth handling, covering both throw and non-throw cases.
test/unit/models/decode_options_test.dart	Modified tests to include the new strictDepth parameter in parsing options handling.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant DecodeOptions
    participant Decoder

    User->>DecodeOptions: Set strictDepth to true
    User->>Decoder: Call decode with nested input
    Decoder->>Decoder: Check if strictDepth is enabled
    alt if depth exceeds limit
        Decoder-->>User: Throw RangeError
    else
        Decoder-->>User: Return parsed output
    end

Loading

Poem

In the garden of code, where rabbits do play,
We’ve spruced up the decode in a splendid way!
With depth limits set, no more nested fright,
A secure little burrow, all snug and tight. 🐇✨
So hop with delight, for our changes are grand,
Parsing’s now safer in this coding land! 🌼

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codacy-production]

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
✅ +0.02% (target: -1.00%)	✅ 100.00%

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (9544d3a)	644	629	97.67%
Head commit (05f7333)	650 (+6)	635 (+6)	97.69% (+0.02%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#22)	6	6	100.00%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

_{Codacy stopped sending the deprecated coverage status on June 5th, 2024. Learn more}

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 97.68%. Comparing base (9544d3a) to head (05f7333).

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #22      +/-   ##
==========================================
+ Coverage   97.66%   97.68%   +0.02%     
==========================================
  Files          14       14              
  Lines         642      648       +6     
==========================================
+ Hits          627      633       +6     
  Misses         15       15              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[coderabbitai]

Actionable comments posted: 0

Outside diff range, codebase verification and nitpick comments (1)

test/unit/models/decode_options_test.dart (1)

Include strictDepth in Test Case Verification

The strictDepth property is present in the DecodeOptions, but it is not currently verified in the copyWith no modifications test case. Ensure that strictDepth is included in the test to confirm it remains unchanged when copyWith is called without arguments.

• Ensure strictDepth is tested in copyWith no modifications.

Analysis chain

Line range hint 14-37:
Verify inclusion of strictDepth in tests.

Ensure that the strictDepth property is tested in the copyWith no modifications test case to confirm it remains unchanged.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that `strictDepth` is included in the `copyWith no modifications` test case.

# Test: Search for `strictDepth` in the test case. Expect: `strictDepth` is verified.
rg --type dart -A 5 'test\(' test/unit/models/decode_options_test.dart | rg 'strictDepth'

Length of output: 89

---

Script:

#!/bin/bash
# Description: Search for `strictDepth` in the entire `decode_options_test.dart` file to verify its presence and usage.

# Test: Search for `strictDepth` in the file. Expect: `strictDepth` is present and tested.
rg 'strictDepth' test/unit/models/decode_options_test.dart

Length of output: 122

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 9544d3a and 05f7333.

Files selected for processing (5)

• README.md (1 hunks)
• lib/src/extensions/decode.dart (1 hunks)
• lib/src/models/decode_options.dart (6 hunks)
• test/unit/decode_test.dart (1 hunks)
• test/unit/models/decode_options_test.dart (2 hunks)

Additional comments not posted (11)

test/unit/models/decode_options_test.dart (2)

Line range hint 39-73:
LGTM! strictDepth is correctly tested in copyWith modifications.

The test case appropriately verifies the behaviour of strictDepth when modified.

---

Line range hint 75-134:
LGTM! strictDepth is correctly included in toString.

The toString method and its corresponding test case correctly include and verify the strictDepth property.

lib/src/extensions/decode.dart (1)

193-199: Verify clarity of RangeError message for strictDepth.

The error message should clearly indicate the issue and provide guidance on how to address it. Consider refining the message for clarity.

Verification successful

---

Consider improving the RangeError message for clarity.

The current error message explains the condition but could be enhanced by suggesting actions, such as checking or adjusting the depth or strictDepth settings, to help users resolve the issue.

• Current message: "Input depth exceeded depth option of ${options.depth} and strictDepth is true"
• Suggested improvement: "Input depth exceeded the configured depth of ${options.depth}. Consider increasing the depth or disabling strictDepth to avoid this error."

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify clarity and completeness of the `RangeError` message in `_parseKeys`.

# Test: Search for `RangeError` message in the code. Expect: Clear and complete message.
rg --type dart 'RangeError' lib/src/extensions/decode.dart

Length of output: 84

---

Script:

#!/bin/bash
# Description: Retrieve full context of the `RangeError` message in `_parseKeys`.

# Test: Search for `RangeError` and include surrounding lines for full context.
rg --type dart 'RangeError' -A 3 -B 3 lib/src/extensions/decode.dart

Length of output: 362

lib/src/models/decode_options.dart (5)

27-27: LGTM! strictDepth property added correctly.

The strictDepth property is correctly added with a default value of false.

---

106-108: LGTM! strictDepth parameter integrated in constructor.

The constructor correctly includes the strictDepth parameter, allowing it to be set during instantiation.

---

Line range hint 138-158:
LGTM! strictDepth included in copyWith.

The copyWith method correctly includes the strictDepth parameter, allowing for its modification.

---

178-178: LGTM! strictDepth represented in toString.

The toString method correctly includes the strictDepth property in its output representation.

---

198-198: LGTM! strictDepth included in props.

The props method correctly includes the strictDepth property for equality checks.

README.md (1)

135-153: Documentation is clear and comprehensive.

The explanation of the strictDepth option and its examples are well-written and provide a clear understanding of the feature.

test/unit/decode_test.dart (2)

1627-1679: Comprehensive throw test cases for strictDepth.

The test cases effectively cover multiple nesting scenarios, ensuring that RangeError is thrown as expected when strictDepth is enabled.

---

1681-1750: Well-structured non-throw test cases for strictDepth.

The test cases comprehensively verify scenarios where no exceptions should be thrown, ensuring the strictDepth feature behaves correctly.