test: add tests and harden code review items

- Add TestBuildHandler_MaxServeFileSize (under/over/disabled)
- Add TestMiddleware_MaxCompressSize (under/over/at-limit/disabled)
- Expand TestCacheKeyForPath with path normalization edge cases
- Harden generateBoundary with math/rand/v2 fallback on crypto/rand failure
- Improve 413 response message with dynamic size limit
- Add log.Printf for template execution errors in directory listing

Author: jkyberneees

internal/compress/compress_test.go

@@ -256,6 +256,85 @@ func TestMiddleware_SkipsBelowMinSize(t *testing.T) {
 	}
 }
 
+// TestMiddleware_MaxCompressSize verifies SEC-005: bodies exceeding
+// MaxCompressSize are served uncompressed, while bodies under the limit
+// are still gzipped normally.
+func TestMiddleware_MaxCompressSize(t *testing.T) {
+	const limit = 2048
+
+	makeHandler := func(body string) fasthttp.RequestHandler {
+		return func(ctx *fasthttp.RequestCtx) {
+			ctx.Response.Header.Set("Content-Type", "text/html; charset=utf-8")
+			ctx.SetBody([]byte(body))
+		}
+	}
+
+	t.Run("under limit is compressed", func(t *testing.T) {
+		cfg := &config.CompressionConfig{Enabled: true, MinSize: 10, Level: 5, MaxCompressSize: limit}
+		body := strings.Repeat("A", limit-1) // 2047 bytes — just under
+		handler := compress.Middleware(cfg, makeHandler(body))
+		ctx := newTestCtx("GET", "/", map[string]string{"Accept-Encoding": "gzip"})
+		handler(ctx)
+
+		if enc := string(ctx.Response.Header.Peek("Content-Encoding")); enc != "gzip" {
+			t.Errorf("Content-Encoding = %q, want gzip for body under MaxCompressSize", enc)
+		}
+		// Verify decompressed content matches.
+		gr, err := gzip.NewReader(bytes.NewReader(ctx.Response.Body()))
+		if err != nil {
+			t.Fatalf("gzip.NewReader: %v", err)
+		}
+		got, err := io.ReadAll(gr)
+		if err != nil {
+			t.Fatalf("io.ReadAll: %v", err)
+		}
+		if string(got) != body {
+			t.Error("decompressed body does not match original")
+		}
+	})
+
+	t.Run("over limit stays uncompressed", func(t *testing.T) {
+		cfg := &config.CompressionConfig{Enabled: true, MinSize: 10, Level: 5, MaxCompressSize: limit}
+		body := strings.Repeat("B", limit+1) // 2049 bytes — just over
+		handler := compress.Middleware(cfg, makeHandler(body))
+		ctx := newTestCtx("GET", "/", map[string]string{"Accept-Encoding": "gzip"})
+		handler(ctx)
+
+		if enc := string(ctx.Response.Header.Peek("Content-Encoding")); enc == "gzip" {
+			t.Error("Content-Encoding should not be gzip for body exceeding MaxCompressSize")
+		}
+		if string(ctx.Response.Body()) != body {
+			t.Error("body should be served uncompressed and unmodified")
+		}
+	})
+
+	t.Run("exactly at limit stays uncompressed", func(t *testing.T) {
+		cfg := &config.CompressionConfig{Enabled: true, MinSize: 10, Level: 5, MaxCompressSize: limit}
+		body := strings.Repeat("C", limit) // exactly 2048 bytes — not strictly less
+		handler := compress.Middleware(cfg, makeHandler(body))
+		ctx := newTestCtx("GET", "/", map[string]string{"Accept-Encoding": "gzip"})
+		handler(ctx)
+
+		// len(body) > cfg.MaxCompressSize is false when equal, so it IS compressed.
+		// This tests the boundary condition: equal means "still under the limit".
+		if enc := string(ctx.Response.Header.Peek("Content-Encoding")); enc != "gzip" {
+			t.Errorf("Content-Encoding = %q, want gzip when body size equals MaxCompressSize (not strictly over)", enc)
+		}
+	})
+
+	t.Run("zero disables the limit", func(t *testing.T) {
+		cfg := &config.CompressionConfig{Enabled: true, MinSize: 10, Level: 5, MaxCompressSize: 0}
+		body := strings.Repeat("D", 100_000) // 100 KB — would exceed any reasonable limit
+		handler := compress.Middleware(cfg, makeHandler(body))
+		ctx := newTestCtx("GET", "/", map[string]string{"Accept-Encoding": "gzip"})
+		handler(ctx)
+
+		if enc := string(ctx.Response.Header.Peek("Content-Encoding")); enc != "gzip" {
+			t.Errorf("Content-Encoding = %q, want gzip when MaxCompressSize=0 (disabled)", enc)
+		}
+	})
+}
+
 // TestMiddleware_SkipsAlreadyEncoded ensures pre-encoded responses are passed through.
 func TestMiddleware_SkipsAlreadyEncoded(t *testing.T) {
 	cfg := &config.CompressionConfig{Enabled: true, MinSize: 1, Level: 5}

internal/handler/dirlist.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"fmt"
 	"html/template"
+	"log"
 	"os"
 	"sort"
 	"strings"
@@ -190,6 +191,7 @@ func (h *FileHandler) serveDirectoryListing(ctx *fasthttp.RequestCtx, absDir, ur
 	// SEC-010: Handle template execution errors instead of silently discarding.
 	var buf bytes.Buffer
 	if err := dirListTemplate.Execute(&buf, data); err != nil {
+		log.Printf("handler: directory listing template error for %q: %v", urlPath, err)
 		ctx.SetStatusCode(fasthttp.StatusInternalServerError)
 		ctx.SetBodyString("Internal Server Error: failed to render directory listing")
 		return

internal/handler/file.go

@@ -6,12 +6,14 @@ import (
 	"bytes"
 	"crypto/rand"
 	"crypto/sha256"
+	"encoding/binary"
 	"encoding/hex"
 	"errors"
 	"fmt"
 	"io"
 	"io/fs"
 	"log"
+	mrandv2 "math/rand/v2"
 	"mime"
 	"net/http"
 	"os"
@@ -343,7 +345,10 @@ func (h *FileHandler) serveLargeFile(ctx *fasthttp.RequestCtx, absPath, urlPath
 	if h.cfg.Files.MaxServeFileSize > 0 && info.Size() > h.cfg.Files.MaxServeFileSize {
 		log.Printf("handler: file %q (%d bytes) exceeds max serve size (%d bytes)",
 			absPath, info.Size(), h.cfg.Files.MaxServeFileSize)
-		ctx.Error("Content Too Large", fasthttp.StatusRequestEntityTooLarge)
+		ctx.Error(
+			fmt.Sprintf("Payload Too Large: exceeds max_serve_file_size (%d bytes)", h.cfg.Files.MaxServeFileSize),
+			fasthttp.StatusRequestEntityTooLarge,
+		)
 		return
 	}
 
@@ -593,9 +598,17 @@ func (h *FileHandler) LoadSidecar(path string) []byte {
 // SEC-004: Using a unique boundary per response prevents attackers from
 // predicting boundary values and crafting payloads that exploit multipart
 // parsing in downstream proxies or clients.
+//
+// If crypto/rand fails (extremely unlikely on modern kernels), the function
+// falls back to math/rand/v2 (auto-seeded from crypto/rand at process start)
+// and logs a warning. The boundary is never all-zeroes.
 func generateBoundary() string {
 	var buf [16]byte
-	_, _ = rand.Read(buf[:])
+	if _, err := rand.Read(buf[:]); err != nil {
+		log.Printf("WARNING: crypto/rand.Read failed (%v), using math/rand fallback for multipart boundary", err)
+		binary.NativeEndian.PutUint64(buf[:8], mrandv2.Uint64())
+		binary.NativeEndian.PutUint64(buf[8:], mrandv2.Uint64())
+	}
 	return hex.EncodeToString(buf[:])
 }
 

internal/handler/file_test.go

@@ -417,6 +417,77 @@ func TestBuildHandler_LargeFile(t *testing.T) {
 	}
 }
 
+// TestBuildHandler_MaxServeFileSize verifies SEC-011: files exceeding
+// MaxServeFileSize return 413 Payload Too Large, while files under the limit
+// are served normally.
+func TestBuildHandler_MaxServeFileSize(t *testing.T) {
+	root := t.TempDir()
+
+	// Create two files: one under the limit, one over.
+	smallContent := strings.Repeat("A", 500)
+	largeContent := strings.Repeat("B", 2048)
+	if err := os.WriteFile(filepath.Join(root, "small.bin"), []byte(smallContent), 0644); err != nil {
+		t.Fatal(err)
+	}
+	if err := os.WriteFile(filepath.Join(root, "large.bin"), []byte(largeContent), 0644); err != nil {
+		t.Fatal(err)
+	}
+
+	cfg := makeCfgWithRoot(t, root)
+	cfg.Cache.MaxFileSize = 256       // force both files through serveLargeFile path
+	cfg.Files.MaxServeFileSize = 1024 // 1 KB hard limit
+	cfg.Compression.Enabled = false
+	c := cache.NewCache(cfg.Cache.MaxBytes)
+	h := handler.BuildHandler(cfg, c)
+
+	t.Run("under limit serves normally", func(t *testing.T) {
+		ctx := newTestCtx("GET", "/small.bin")
+		h(ctx)
+
+		if ctx.Response.StatusCode() != fasthttp.StatusOK {
+			t.Errorf("status = %d, want 200 for file under MaxServeFileSize", ctx.Response.StatusCode())
+		}
+		if len(ctx.Response.Body()) != 500 {
+			t.Errorf("body length = %d, want 500", len(ctx.Response.Body()))
+		}
+	})
+
+	t.Run("over limit returns 413", func(t *testing.T) {
+		ctx := newTestCtx("GET", "/large.bin")
+		h(ctx)
+
+		if ctx.Response.StatusCode() != fasthttp.StatusRequestEntityTooLarge {
+			t.Errorf("status = %d, want 413 for file exceeding MaxServeFileSize", ctx.Response.StatusCode())
+		}
+		body := string(ctx.Response.Body())
+		if !strings.Contains(body, "Payload Too Large") {
+			t.Errorf("response body = %q, want it to contain 'Payload Too Large'", body)
+		}
+		if !strings.Contains(body, "max_serve_file_size") {
+			t.Errorf("response body = %q, want it to mention 'max_serve_file_size' for operator correlation", body)
+		}
+	})
+
+	t.Run("disabled when zero", func(t *testing.T) {
+		cfg2 := makeCfgWithRoot(t, root)
+		cfg2.Cache.MaxFileSize = 256
+		cfg2.Files.MaxServeFileSize = 0 // 0 = disabled
+		cfg2.Compression.Enabled = false
+		c2 := cache.NewCache(cfg2.Cache.MaxBytes)
+		h2 := handler.BuildHandler(cfg2, c2)
+
+		ctx := newTestCtx("GET", "/large.bin")
+		h2(ctx)
+
+		if ctx.Response.StatusCode() != fasthttp.StatusOK {
+			t.Errorf("status = %d, want 200 when MaxServeFileSize=0 (disabled)", ctx.Response.StatusCode())
+		}
+		if len(ctx.Response.Body()) != 2048 {
+			t.Errorf("body length = %d, want 2048", len(ctx.Response.Body()))
+		}
+	})
+}
+
 // TestBuildHandler_CacheDisabled verifies that when Cache.Enabled=false, the
 // handler reads from disk on every request.
 func TestBuildHandler_CacheDisabled(t *testing.T) {

internal/headers/headers_test.go

@@ -29,10 +29,30 @@ func TestCacheKeyForPath(t *testing.T) {
 		indexFile string
 		want      string
 	}{
+		// --- Original basic cases ---
 		{name: "root", urlPath: "/", indexFile: "index.html", want: "/index.html"},
 		{name: "directory", urlPath: "/docs/", indexFile: "home.html", want: "/docs/home.html"},
 		{name: "file", urlPath: "/app.js", indexFile: "index.html", want: "/app.js"},
 		{name: "default index", urlPath: "/", indexFile: "", want: "/index.html"},
+
+		// --- SEC-006: path.Clean normalization ---
+		{name: "dotdot traversal", urlPath: "/a/../b", indexFile: "index.html", want: "/b"},
+		{name: "dotdot to root", urlPath: "/a/..", indexFile: "index.html", want: "/index.html"},
+		{name: "dotdot deep", urlPath: "/a/b/../../c/d", indexFile: "index.html", want: "/c/d"},
+		{name: "dot segment", urlPath: "/dir/./file.css", indexFile: "index.html", want: "/dir/file.css"},
+		{name: "repeated slashes", urlPath: "/a//b///c", indexFile: "index.html", want: "/a/b/c"},
+		{name: "mixed mess", urlPath: "/a/./b/../c//d", indexFile: "index.html", want: "/a/c/d"},
+
+		// --- Trailing-slash / directory semantics ---
+		{name: "dir with dot segment", urlPath: "/dir/./", indexFile: "index.html", want: "/dir/index.html"},
+		{name: "dir with repeated slashes", urlPath: "/docs///", indexFile: "index.html", want: "/docs/index.html"},
+		{name: "dir dotdot trailing slash", urlPath: "/a/b/../", indexFile: "index.html", want: "/a/index.html"},
+		{name: "root via dotdot trailing slash", urlPath: "/a/../", indexFile: "index.html", want: "/index.html"},
+
+		// --- Empty and edge cases ---
+		{name: "empty path", urlPath: "", indexFile: "index.html", want: "/index.html"},
+		{name: "empty path custom index", urlPath: "", indexFile: "home.html", want: "/home.html"},
+		{name: "bare slash custom index", urlPath: "/", indexFile: "custom.html", want: "/custom.html"},
 	}
 
 	for _, tt := range tests {