fix client-side flags override issue

[eeisegn]

• Stop client-side flags overriding server-side flags if set
• Provide explicit configuration to allow such overrides

Summary by CodeRabbit

• New Release

  • Added changelog entry for version 1.6.5 (2026-03-24).

• Bug Fixes

  • Server-side scanning flags no longer get overridden by client-supplied flags by default; administrators can enable client overrides via a new configuration option.

• Tests

  • Added tests validating flag precedence and override behavior across multiple scanning scenarios.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 54a7fdb3-5f73-437a-b3bb-b91340c8c21a

📥 Commits

Reviewing files that changed from the base of the PR and between 914ef79 and cc122f6.

📒 Files selected for processing (1)

• pkg/service/scanning_service_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/service/scanning_service_test.go

---

📝 Walkthrough

Walkthrough

Adds a server-side AllowFlagsOverride setting that controls whether client-provided scan flags may override server-defined scan flags; when disabled (default), incoming request flags are cleared and a warning is emitted. Changes affect changelog, prod config, server defaults, scanning logic, and tests.

Changes

Cohort / File(s)	Summary
Changelog & Prod Config CHANGELOG.md, config/app-config-prod.json	Added v1.6.5 changelog entry and added Scanning.AllowFlagsOverride = false to production config.
Server Configuration pkg/config/server_config.go	Added Scanning.AllowFlagsOverride bool to ServerConfig (env: SCAN_ALLOW_FLAGS_OVERRIDE) and set default false.
Scanning Service Logic pkg/service/scanning_service.go	getConfigFromRequest now checks AllowFlagsOverride and server ScanFlags; if overrides disallowed and server flags > 0, request flags are cleared with a warning; if allowed, request flags are used (debug logged).
Tests pkg/service/scanning_service_test.go	Added TestScanFlags, a table-driven test covering precedence between server ScanFlags, AllowFlagsOverride, and optional request flags header.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant ScanningService as "Scanning Service"
    participant ServerConfig as "Server Config"
    participant Scanner as "Scanner/Engine"

    Client->>ScanningService: POST /scan (file + optional flags header)
    ScanningService->>ServerConfig: Read ScanFlags & AllowFlagsOverride
    alt AllowFlagsOverride == false and Server ScanFlags > 0 and flags present
        ScanningService-->>Client: Emit warning (flags ignored)
        ScanningService->>ScanningService: Clear request flags
    else AllowFlagsOverride == true and flags present
        ScanningService-->>Client: Debug log (using request flags)
    end
    ScanningService->>Scanner: Start scan with resolved flags + file
    Scanner-->>ScanningService: Return scan result
    ScanningService-->>Client: HTTP 200 + result

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I nudged a flag, set false by default,
Clients shouted options, servers held the vault.
A warning I gave when rules stayed tight,
Tests hopped around to make it right.
Carrots, code, and calm delight. 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title concisely summarizes the main change: preventing client-side flags from overriding server-side flags, which is the core objective of this PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/DO-312-update-flags-override

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

pkg/service/scanning_service_test.go (1)

670-673: Variable shadowing reduces clarity.

The variables fieldName (line 670) and file (line 673) shadow outer-scope variables with the same names. While this works correctly, it could cause confusion during maintenance.

♻️ Suggested fix to avoid shadowing

 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			myConfig.Scanning.ScanFlags = test.serverFlags
 			myConfig.Scanning.AllowFlagsOverride = test.allowFlagsOverride
 			myConfig.Scanning.ScanBinary = binary
-			filePath := file
-			fieldName := fieldName
+			filePath := file       // use outer `file` directly or rename
 			postBody := new(bytes.Buffer)
 			mw := multipart.NewWriter(postBody)
-			file, err := os.Open(filePath)
+			wfpFile, err := os.Open(filePath)
 			if err != nil {
 				t.Fatal(err)
 			}
-			writer, err := mw.CreateFormFile(fieldName, filePath)
+			writer, err := mw.CreateFormFile(fieldName, filePath)  // use outer fieldName directly
 			if err != nil {
 				t.Fatal(err)
 			}
-			if _, err = io.Copy(writer, file); err != nil {
+			if _, err = io.Copy(writer, wfpFile); err != nil {
 				t.Fatal(err)
 			}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/service/scanning_service_test.go` around lines 670 - 673, The test
currently shadows outer-scope variables by re-declaring fieldName and file with
:= inside the multipart setup; update the block in scanning_service_test.go
(around the multipart writer setup) to avoid shadowing by either using
assignment (fieldName = fieldNameVal; openedFile, err = os.Open(filePath)) or
renaming the locals (e.g., localFieldName and openedFile) and replacing uses of
fieldName and file in that scope; ensure you still check and handle err after
opening the file and close the openedFile when done.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/service/scanning_service_test.go`:
- Around line 670-673: The test currently shadows outer-scope variables by
re-declaring fieldName and file with := inside the multipart setup; update the
block in scanning_service_test.go (around the multipart writer setup) to avoid
shadowing by either using assignment (fieldName = fieldNameVal; openedFile, err
= os.Open(filePath)) or renaming the locals (e.g., localFieldName and
openedFile) and replacing uses of fieldName and file in that scope; ensure you
still check and handle err after opening the file and close the openedFile when
done.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a560e008-1512-42f6-9d7e-f24862bfef78

📥 Commits

Reviewing files that changed from the base of the PR and between 6a6f886 and 06dc8d5.

📒 Files selected for processing (5)

• CHANGELOG.md
• config/app-config-prod.json
• pkg/config/server_config.go
• pkg/service/scanning_service.go
• pkg/service/scanning_service_test.go

[agustingroh]

should the test excercises 'getConfigFromRequest' and check the override behaviour instead of the asserting http.StatusOK?

Example:

tests := []struct {
    name               string
    serverFlags        int
    allowFlagsOverride bool
    clientFlags        string
    want               int
    wantFlags          string // flags actually used in the scan
}{
    {
        name:               "Scanning - server flags only",
        serverFlags:        1248,
        allowFlagsOverride: false,
        clientFlags:        "256",
        want:               http.StatusOK,
        wantFlags:          "1248",
    },
....

`
    for _, test := range tests {
        t.Run(test.name, func(t *testing.T) {
            myConfig.Scanning.ScanFlags = test.serverFlags
            myConfig.Scanning.AllowFlagsOverride = test.allowFlagsOverride

            req := httptest.NewRequest(http.MethodPost, "/scan/direct", nil)
            req.Header.Set("flags", test.clientFlags)

            apiService := NewAPIService(myConfig)
            cfg, err := apiService.getConfigFromRequest(req, logger)

            assert.NoError(t, err)
            assert.Equal(t, test.wantFlags, cfg.Flags)
        })
    }`

[eeisegn]

yes. will implement that