bug: HandleRawResponse defers Body.Close() after reading the body #52
Description
Description
In cmd/apiutil/response.go, the HandleRawResponse function places defer r.Body.Close() after the io.ReadAll(r.Body) call. This means:
- If
ReadAllpanics, the body is never closed (resource leak). - The
deferis semantically misleading — it suggests the body will be closed on function exit, but it's registered too late to protect against early failures.
Steps to reproduce
- Review
cmd/apiutil/response.go, lines ~45-55. - Observe the ordering:
body, err := io.ReadAll(r.Body) // read first
if err != nil {
return fmt.Errorf("failed to read response body: %w", err)
}
defer r.Body.Close() // defer registered AFTER readExpected behaviour
defer r.Body.Close() should be placed before io.ReadAll(r.Body) to guarantee cleanup regardless of what happens during the read.
Actual behaviour
The body close is deferred after the read. If ReadAll returns an error, the function returns early and the defer is never registered, so r.Body is never closed.
seerr-cli version
All versions (code review finding).
Operating system
All platforms.
Additional context
The fix is a one-line reorder:
// Correct ordering:
defer r.Body.Close()
body, err := io.ReadAll(r.Body)
if err != nil {
return fmt.Errorf("failed to read response body: %w", err)
}