test: add fuzz test for file handler error paths

[taeyoung0823]

Summary

Fixes #5538

This PR adds fuzz test coverage for the file handler manifest endpoint and ensures the handler returns immediately after writing error responses.

Changes

• Added early returns after error responses in FileHandler
• Added fuzz tests for file handler key and Referer inputs
• Covered malformed keys, empty keys, path-like inputs, and invalid Referer values
• Ensured the handler does not panic on unexpected inputs

Testing

go test ./pkg/handlers/...
go test ./pkg/handlers/... -run=FuzzFileHandler -fuzz=FuzzFileHandler -fuzztime=30s

[PriteshKiri]

Hey @taeyoung0823
Could you please check the CI failures?

[Copilot]

Pull request overview

This PR aims to harden the /file/:key manifest endpoint by ensuring FileHandler stops execution immediately after writing error responses, and adds a fuzz test to exercise error paths and prevent panics on unexpected inputs.

Changes:

• Added return statements after multiple error responses in FileHandler.
• Added a new fuzz test targeting FileHandler with varied key and Referer inputs.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
chaoscenter/graphql/server/pkg/handlers/file_handler.go	Adds early returns after error writes to prevent continued execution after an error response.
chaoscenter/graphql/server/pkg/handlers/file_handler_fuzz_test.go	Introduces fuzzing for the file handler to catch panics and unexpected behavior on malformed inputs.

Comments suppressed due to low confidence (1)

chaoscenter/graphql/server/pkg/handlers/file_handler.go:48

• /file/:key is registered without the authorization middleware that injects request-header into the request context (see server.go), so relying on c.Value("request-header") is unlikely to work for real requests and will force the handler into the 500 path. In a gin handler you can read headers directly from c.Request.Header / c.GetHeader(...).

		reqHeader, ok := c.Value("request-header").(http.Header)
		if !ok {
			logrus.Error("unable to parse referer header")
			utils.WriteHeaders(&c.Writer, 500)
			c.Writer.Write([]byte("unable to parse referer header"))
			return
		}

		referrer := reqHeader.Get("Referer")
		if referrer == "" {

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[PriteshKiri]

Hey @taeyoung0823
Could you please check the Co-Pilot review comments?

[taeyoung0823]

Thanks for the review @PriteshKiri

I addressed the Copilot review comments by updating FileHandler to read the Referer header directly from the Gin request using c.GetHeader("Referer").

I also updated the fuzz test by removing the request-header context setup, moving gin.SetMode(gin.TestMode) outside the fuzz loop, and skipping JWT-shaped keys that can trigger auth configuration / Mongo access during fuzzing.

The changes have been pushed. Could you please approve the pending workflows when you get a chance?