Severity: P3 | Subsystem: routing | Category: correctness
Location: /home/kyleg/containers/atxfpv.org/skwad/main.go:204-213
What
Server registers GET /s/{code} and /S/{code} matching any single segment (e.g. /s/garbage), returning 200 plus index.html. Client route() (app.js:4668) only treats a six-hex-char path as a deep link; junk falls through to validateAndShowLanding. So invalid /s/junk returns 200 plus SPA and lands on home rather than 404. Low impact, graceful fallback, but a real server/client contract mismatch.
Suggested fix
Validate PathValue against a six-hex pattern and http.NotFound otherwise, or document the loose match as intentional.
Verification
Traced both ends against current code. main.go:204-213 registers GET /s/{code} and GET /S/{code} using Go's path-pattern {code} wildcard, which matches any single non-empty segment with no validation, then unconditionally serves staticDir+/index.html with Cache-Control: no-cache (HTTP 200). app.js route() at line 4656 reads window.location.pathname; the deep-link match at line 4668 is path.match(/^\/[sS]\/([A-Fa-f0-9]{6})$/). A junk path like /s/garbage fails this regex, skips the if (match) block (4670-4704), and falls through to the root-path branch (4707) calling validateAndShowLanding() — i.e. it lands on home, not a deep-link join and not a 404. So invalid /s/ returns 200 + SPA and silently shows home. Confirmed server/client contract mismatch exactly as described. The cited app.js:4668 line number matches the regex line precisely; main.go:204-213 matches precisely. Impact is genuinely low: graceful, benign fallback to the landing screen, no error surfaced, no security or data-integrity consequence. P3 (lowest severity) is appropriate and not overstated; the suggested fix (validate PathValue against six-hex and http.NotFound otherwise) is correct.
Filed from the 2026-05-30 multi-agent codebase review.
Severity: P3 | Subsystem: routing | Category: correctness
Location:
/home/kyleg/containers/atxfpv.org/skwad/main.go:204-213What
Server registers GET /s/{code} and /S/{code} matching any single segment (e.g. /s/garbage), returning 200 plus index.html. Client route() (app.js:4668) only treats a six-hex-char path as a deep link; junk falls through to validateAndShowLanding. So invalid /s/junk returns 200 plus SPA and lands on home rather than 404. Low impact, graceful fallback, but a real server/client contract mismatch.
Suggested fix
Validate PathValue against a six-hex pattern and http.NotFound otherwise, or document the loose match as intentional.
Verification
Traced both ends against current code. main.go:204-213 registers
GET /s/{code}andGET /S/{code}using Go's path-pattern{code}wildcard, which matches any single non-empty segment with no validation, then unconditionally serves staticDir+/index.html with Cache-Control: no-cache (HTTP 200). app.js route() at line 4656 reads window.location.pathname; the deep-link match at line 4668 ispath.match(/^\/[sS]\/([A-Fa-f0-9]{6})$/). A junk path like /s/garbage fails this regex, skips theif (match)block (4670-4704), and falls through to the root-path branch (4707) calling validateAndShowLanding() — i.e. it lands on home, not a deep-link join and not a 404. So invalid /s/ returns 200 + SPA and silently shows home. Confirmed server/client contract mismatch exactly as described. The cited app.js:4668 line number matches the regex line precisely; main.go:204-213 matches precisely. Impact is genuinely low: graceful, benign fallback to the landing screen, no error surfaced, no security or data-integrity consequence. P3 (lowest severity) is appropriate and not overstated; the suggested fix (validate PathValue against six-hex and http.NotFound otherwise) is correct.Filed from the 2026-05-30 multi-agent codebase review.