fix(fuzz): use OrderedMap for path segments to ensure deterministic iteration

[Rhan2020]

Summary

Fix non-deterministic path-based fuzzing that causes path segments (especially numeric ones like 55 in /user/55/profile) to be randomly skipped.

Fixes #6398

Root Cause

Path.Parse() stores path segments in a plain Go map[string]interface{}. Since Go maps have non-deterministic iteration order, Path.Iterate() yields segments in random order, causing the fuzzing engine to sometimes skip segments.

Fix

• Replace map[string]interface{} with mapsutil.OrderedMap in Path.Parse(), matching the pattern already used by the Cookie component
• Use dataformat.KVOrderedMap() instead of dataformat.KVMap() to preserve insertion order
• Update Path.Rebuild() to use KV.Get() instead of direct .Map.GetOrDefault() access (which would be nil with OrderedMap)
• Add TestPathComponent_DeterministicIteration regression test that runs 100 iterations to verify stable ordering

Changes

2 files, minimal diff:

• pkg/fuzz/component/path.go — 19 lines changed
• pkg/fuzz/component/path_test.go — 26 lines added

Testing

All existing tests pass, plus the new deterministic iteration test:

=== RUN   TestURLComponent
--- PASS: TestURLComponent (0.00s)
=== RUN   TestURLComponent_NestedPaths
--- PASS: TestURLComponent_NestedPaths (0.00s)
=== RUN   TestPathComponent_DeterministicIteration
--- PASS: TestPathComponent_DeterministicIteration (0.00s)
=== RUN   TestPathComponent_SQLInjection
    path_test.go:123: Original path: /user/55/profile
    path_test.go:127: Key: 1, Value: user
    path_test.go:127: Key: 2, Value: 55
    path_test.go:127: Key: 3, Value: profile
    path_test.go:146: Modified path: /user/55 OR True/profile
--- PASS: TestPathComponent_SQLInjection (0.00s)
PASS
ok  github.com/projectdiscovery/nuclei/v3/pkg/fuzz/component

Full fuzz package suite also passes: go test ./pkg/fuzz/... ✅

Checklist

• Pull request is created against the dev branch
• All checks passed (go vet, go test ./pkg/fuzz/...)
• Tests added that prove the fix is effective
• Minimal, focused change following existing conventions (Cookie component pattern)

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Fixed non-deterministic iteration of path segments to ensure consistent and predictable ordering when processing URLs.

• Tests

  • Added verification test to confirm deterministic path segment iteration behavior across multiple runs.

[coderabbitai]

Walkthrough

This pull request fixes a bug in path-based fuzzing where numeric path segments were being skipped during template fuzzing. The fix replaces a plain map with an ordered map to ensure deterministic iteration order of path segments, preventing non-deterministic behavior that caused segments to be randomly omitted from fuzzing operations.

Changes

Cohort / File(s)	Summary
Path component ordering pkg/fuzz/component/path.go	Replaces plain map with ordered map (segments with 1-based segmentIndex) to preserve insertion order. Rewrites parsing logic to populate ordered map and call SetParsed with KVOrderedMap wrapper. Updates rebuild logic to read replacements via Get(key) with fallback to original segment when key is missing or value is invalid.
Path fuzzing test pkg/fuzz/component/path_test.go	Adds TestPathComponent_DeterministicIteration test that verifies path segment iteration is deterministic across 100 runs, asserting keys ["1","2","3"] and corresponding values ["user","55","profile"].

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

🐰 Hops with glee!

Once our fuzzing paths were wild,
Numeric segments lost, unbeguiled—
Now ordered maps keep segments spry,
Deterministic journeys, no more shy,
Every segment fuzzed, none pass by! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: replacing a plain map with OrderedMap for path segments to fix non-deterministic iteration during fuzzing.
Linked Issues check	✅ Passed	All code requirements from issue #6398 are met: OrderedMap replaces plain maps in Path.Parse(), KVOrderedMap replaces KVMap to preserve insertion order, Path.Rebuild() uses Get() for lookups, and TestPathComponent_DeterministicIteration validates consistent ordering.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to fixing non-deterministic path fuzzing; modifications to path.go and addition of regression test in path_test.go are both necessary and in-scope.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

No actionable comments were generated in the recent review. 🎉

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[dogancanbakir]

Hi, thanks for your interest in contributing! Just a heads up, we ask contributors to work on 1 active issue at a time (see).

Also, we welcome AI-assisted development, but submissions must be complete, tested, and ready to merge. Please also make sure to fill out the PR template with proof that your changes work.

We're closing this PR along with your other open submissions. Once you're ready, feel free to pick one issue to focus on and resubmit; we'd be happy to review it.

Appreciate your understanding!