refactor: improve cache key generation by escaping key delimiters and normalizing method names

Author: ReneWerner87

middleware/cache/cache.go

@@ -1332,12 +1332,12 @@ func canonicalQueryString(uri *fasthttp.URI) string {
 	// Pre-scan query string to detect excessive parameters before expensive parsing.
 	// This prevents DoS via url.ParseQuery allocating large maps/slices.
 	if len(query) > maxQueryBufferSize {
-		return boundKeySegment(query)
+		return boundKeySegment(escapeKeyDelimiters(query))
 	}
 
 	// Fast path: single key=value pair needs no parsing or sorting
 	if strings.IndexByte(query, '&') < 0 {
-		return boundKeySegment(query)
+		return boundKeySegment(escapeKeyDelimiters(query))
 	}
 
 	// Quick count of potential parameters (ampersands + 1)
@@ -1347,22 +1347,22 @@ func canonicalQueryString(uri *fasthttp.URI) string {
 			paramCount++
 			if paramCount > maxQueryParams {
 				// Too many parameters detected, hash without parsing
-				return boundKeySegment(query)
+				return boundKeySegment(escapeKeyDelimiters(query))
 			}
 		}
 	}
 
 	parsed, err := url.ParseQuery(query)
 	if err != nil {
-		return boundKeySegment(query)
+		return boundKeySegment(escapeKeyDelimiters(query))
 	}
 
 	// Double-check actual parameter count after parsing
 	actualCount := 0
 	for _, values := range parsed {
 		actualCount += len(values)
 		if actualCount > maxQueryParams {
-			return boundKeySegment(query)
+			return boundKeySegment(escapeKeyDelimiters(query))
 		}
 	}
 
@@ -1399,7 +1399,7 @@ func canonicalQueryString(uri *fasthttp.URI) string {
 					*bufPtr = buf
 					keyBufferPool.Put(bufPtr)
 				}
-				return boundKeySegment(query)
+				return boundKeySegment(escapeKeyDelimiters(query))
 			}
 
 			buf = append(buf, escapedKey...)

middleware/cache/cache_test.go

@@ -5451,7 +5451,7 @@ func Test_hasDirective(t *testing.T) {
 		{"at start", "no-cache, max-age=0", "no-cache", true},
 		{"at end", "public, no-cache", "no-cache", true},
 		{"not present", "public, max-age=0", "no-cache", false},
-		{"partial match (truncated)", "no-cach", "no-cache", false}, // cspell:disable-line -- intentionally truncated directive
+		{"shorter token does not match", "no-catch", "no-cache", false},
 		{"substring of longer token", "no-cache-extended", "no-cache", false},
 
 		// Trailing whitespace (#4143)

middleware/cache/config.go

@@ -169,10 +169,13 @@ func configDefault(config ...Config) Config {
 		cfg.Methods = ConfigDefault.Methods
 	} else {
 		// Normalize method names to uppercase (HTTP methods are case-sensitive
-		// and c.Method() returns uppercase, e.g. "GET" not "get")
+		// and c.Method() returns uppercase, e.g. "GET" not "get").
+		// Copy first to avoid mutating the caller's slice.
+		normalized := make([]string, len(cfg.Methods))
 		for i, m := range cfg.Methods {
-			cfg.Methods[i] = utilsstrings.ToUpper(m)
+			normalized[i] = utilsstrings.ToUpper(m)
 		}
+		cfg.Methods = normalized
 	}
 	if cfg.KeyGenerator == nil {
 		cfg.KeyGenerator = func(c fiber.Ctx) string {