Returning the stored slice directly allows callers to mutate the stored
data, which defeats the purpose of the defensive copying in Set().
Since this package doesn't have access to gofiber/utils, we manually
copy the slice using make() and copy().
This completes the fix by ensuring stored data cannot be corrupted
either on input (Set) or accessed mutably on output (Get).
Problem:
The memory storage uses string keys and byte slice values directly in
a Go map without copying them. When these strings/slices are backed by
pooled buffers (from sync.Pool used by Fiber for performance), the map
keys and values can become corrupted when those buffers are reused.
Root Cause:
1. Fiber v3 uses sync.Pool extensively for byte buffer reuse
2. Strings created from pooled buffers point to the underlying pooled memory
3. When used as Go map keys without copying, these strings share the pooled buffer
4. When the buffer is returned to the pool and reused, the map key gets corrupted
5. This causes intermittent failures where sessions/CSRF tokens cannot be found
Solution:
Copy both the key (string) and value ([]byte) before storing in the map.
Since this package doesn't have access to gofiber/utils, we use manual copying:
- Key: string([]byte(key)) - creates a new string with a new backing array
- Value: make new slice and copy bytes
Testing:
- Before fix: ~8% pass rate with ginkgo --repeat=100
- After fix: 100% pass rate with ginkgo --repeat=200
- No corrupted keys found in storage after fix
Impact:
- Performance: Minimal - one string copy and one byte slice copy per Set
- Safety: Prevents entire class of memory corruption bugs
- Consistency: Aligns with the fix applied to gofiber/fiber internal storage
* Add DB() support for Redis driver
* Added support for DB() to all drivers
* Fixed typo in README and Lint issue
* Fix lint issue with ristretto db
* Fix lint issue with bbolt db
* Rename DB() to Conn()
* Replace all instances of _DB with _Conn
* Update all the README files
* Return ArangoDB Client instead of DB
