fix: safe type assertions in CloseNotify() and Hijack()

jassus213 · jassus213 · commit 4823c8b6e58c · 2026-04-22T17:29:21.000+03:00
When gin is used with http.TimeoutHandler or any other middleware that wraps http.ResponseWriter with a type that does not implement http.Hijacker or http.CloseNotifier, the direct type assertions in Hijack() and CloseNotify() cause a runtime panic. Replace with checked assertions following the same pattern already used in Flush(). CloseNotify() returns nil when unsupported (http.CloseNotifier is deprecated since Go 1.11). Hijack() returns a descriptive error, consistent with the existing errHijackAlreadyWritten pattern. Fixes #4460
diff --git a/response_writer.go b/response_writer.go
@@ -17,7 +17,10 @@ const (
 	defaultStatus = http.StatusOK
 )
 
-var errHijackAlreadyWritten = errors.New("gin: response body already written")
+var (
+	errHijackAlreadyWritten = errors.New("gin: response body already written")
+	errHijackNotSupported   = errors.New("gin: underlying ResponseWriter does not support hijacking")
+)
 
 // ResponseWriter ...
 type ResponseWriter interface {
@@ -109,20 +112,25 @@ func (w *responseWriter) Written() bool {
 
 // Hijack implements the http.Hijacker interface.
 func (w *responseWriter) Hijack() (net.Conn, *bufio.ReadWriter, error) {
-	// Allow hijacking before any data is written (size == -1) or after headers are written (size == 0),
-	// but not after body data is written (size > 0). For compatibility with websocket libraries (e.g., github.com/coder/websocket)
 	if w.size > 0 {
 		return nil, nil, errHijackAlreadyWritten
 	}
+	hijacker, ok := w.ResponseWriter.(http.Hijacker)
+	if !ok {
+		return nil, nil, errHijackNotSupported
+	}
 	if w.size < 0 {
 		w.size = 0
 	}
-	return w.ResponseWriter.(http.Hijacker).Hijack()
+	return hijacker.Hijack()
 }
 
 // CloseNotify implements the http.CloseNotifier interface.
 func (w *responseWriter) CloseNotify() <-chan bool {
-	return w.ResponseWriter.(http.CloseNotifier).CloseNotify()
+	if cn, ok := w.ResponseWriter.(http.CloseNotifier); ok {
+		return cn.CloseNotify()
+	}
+	return nil
 }
 
 // Flush implements the http.Flusher interface.
diff --git a/response_writer_test.go b/response_writer_test.go
@@ -113,17 +113,13 @@ func TestResponseWriterHijack(t *testing.T) {
 	writer.reset(testWriter)
 	w := ResponseWriter(writer)
 
-	assert.Panics(t, func() {
-		_, _, err := w.Hijack()
-		require.NoError(t, err)
-	})
-	assert.True(t, w.Written())
-
-	assert.Panics(t, func() {
-		w.CloseNotify()
-	})
+	// Hijack on a non-hijacker writer returns an error without panicking.
+	_, _, err := w.Hijack()
+	assert.Error(t, err)
+	// Capability check happens before state mutation, so Written() stays false on failure.
+	assert.False(t, w.Written())
 
-	w.Flush()
+	assert.NotPanics(t, func() { w.Flush() })
 }
 
 type mockHijacker struct {
@@ -315,3 +311,51 @@ func TestPusherWithoutPusher(t *testing.T) {
 	pusher := w.Pusher()
 	assert.Nil(t, pusher, "Expected pusher to be nil")
 }
+
+// mockNonHijackerWriter implements only http.ResponseWriter.
+// It intentionally does NOT implement http.Hijacker, http.Flusher, or http.CloseNotifier.
+type mockNonHijackerWriter struct {
+	headers http.Header
+}
+
+func (m *mockNonHijackerWriter) Header() http.Header {
+	if m.headers == nil {
+		m.headers = make(http.Header)
+	}
+	return m.headers
+}
+
+func (m *mockNonHijackerWriter) Write(b []byte) (int, error) {
+	return len(b), nil
+}
+
+func (m *mockNonHijackerWriter) WriteHeader(statusCode int) {}
+
+func TestResponseWriterOptionalInterfaceFallbacks(t *testing.T) {
+	w := &mockNonHijackerWriter{}
+	rw := &responseWriter{}
+	rw.reset(w)
+
+	t.Run("Flush does not panic without Flusher", func(t *testing.T) {
+		assert.NotPanics(t, func() { rw.Flush() })
+	})
+
+	t.Run("CloseNotify returns nil without CloseNotifier", func(t *testing.T) {
+		var ch <-chan bool
+		assert.NotPanics(t, func() { ch = rw.CloseNotify() })
+		assert.Nil(t, ch)
+	})
+
+	t.Run("Hijack returns error without Hijacker", func(t *testing.T) {
+		rw.reset(w) // reset state so Written() starts false
+		assert.NotPanics(t, func() {
+			conn, buf, err := rw.Hijack()
+			assert.Nil(t, conn)
+			assert.Nil(t, buf)
+			assert.Error(t, err)
+			assert.Contains(t, err.Error(), "does not support hijacking")
+		})
+		// Capability check happens before state mutation, so Written() stays false on failure.
+		assert.False(t, rw.Written())
+	})
+}
