Buglyst
Explore Practice
← OSS Labs
fastify/fastify · OSS Lab

Fastify trusts forwarded host and protocol without a socket guard

Visible upstream regression test fails on the parent snapshot

Open Labarrow_forwardPlayable · ready
EasyAPI & Request FlowPlayable
OSS Labs are training exercises derived from public open-source bug-fix history. Completing a lab is not an upstream contribution or merged PR. Buglyst is not affiliated with these projects.
21b4c3cSource commit
9bbf609Parent commit
MITLicense
385Files
79,438Visible LOC
~20mEst. time

What this lab trains

checkRepository navigation
checkFailing test reproduction
checkRoot cause tracing
checkMinimal patch reasoning
checkPR-style explanation
checkHTTP request/response flow

Failing signal

What you’ll see when you run the visible regression test.

SymptomVisible upstream regression test fails on the parent snapshotEntry point hintStart at test/internals/request.test.js.

Repo navigation focus

A public-safe starting path for the large repo snapshot.

Start here
  • test/internals/request.test.js
Likely area
  • lib/request.js
  • test/internals/request.test.js
Investigation path
  1. Run the visible regression: npx borp test/internals/request.test.js.
  2. Read the failing assertion about forwarded host/protocol when no socket is present.
  3. Trace how the request object derives host and protocol from forwarded headers.
  4. Determine why forwarded values are used even when the underlying socket is absent.
  5. Patch only the request host/protocol resolution to guard on socket presence, without changing trusted-proxy behavior.
Repo scale
  • 385 files
  • ~67k LOC
  • Real Fastify repo snapshot

PR-style report (preview)

The structured report you produce on accept. This is the format, not a real completion.

differencePR-STYLE REPORT
Sample format
Fastify trusts forwarded host and protocol without a socket guardfastify/fastify

Problem

A regression reproduced from public bug-fix history causes a visible test to fail on the parent snapshot.

Root cause

Written by you, in your own words, after tracing the failing test into the runtime source. (Filled in from your submission — not provided here.)

Fix summary

A minimal patch that makes the visible regression test pass without breaking neighbouring behaviour.

Files changed

  • descriptiontest/<regression>.test.js
  • descriptionlib/<runtime-source>.js

Files inspected

  • descriptiontest/<regression>.test.js
  • descriptionlib/<runtime-source>.js

Tests run

  • terminalVisible regression test
  • terminalHidden edge-case validation

Validation result

Visible checks: pendingHidden validation: pending

Resume-safe summary

Completed an OSS-backed Buglyst debugging lab based on public bug-fix history: reproduced a failing test, traced the root cause, and shipped a minimal patch that passed visible and hidden validation. Not an upstream contribution.

OSS Labs are training exercises derived from public open-source bug-fix history. Completing a lab is not an upstream contribution or merged PR. Buglyst is not affiliated with these projects.