fix: handle comma-separated entries in -l/-list and stdin input

[Gengyscan]

Description

Fixes #859 — -l/-list and stdin input now correctly handle comma-separated targets on a single line, matching the existing -u flag behavior.

Problem

When using -u host1,host2,host3, targets are correctly split by comma via CommaSeparatedStringSliceOptions in goflags. However, when using -l file.txt where the file contains comma-separated targets on a single line, the entire line is treated as one target, causing connection failures.

Root Cause

In normalizeAndQueueInputs, the bufio scanner reads each line and passes it directly to processInputItem without splitting on commas. The -u flag gets comma-splitting for free from goflags, but file/stdin inputs bypass that.

Fix

Split each scanned line on commas (with trimming) before passing to processInputItem, in both the file-input and stdin-input code paths.

Changes

• internal/runner/runner.go: Added strings.Split(text, ",") loop with strings.TrimSpace in both the -l file scanner and the stdin scanner blocks of normalizeAndQueueInputs.

Testing

• Build passes (go build -buildvcs=false ./cmd/tlsx/)
• No new dependencies added (strings was already imported)
• Comma splitting is safe for all valid target types (IP, CIDR, FQDN, ASN) as none contain commas

/claim #859

Summary by CodeRabbit

• New Features

  • Input processing now treats comma-separated entries on a line as individual items for both file and stdin input.

• Bug Fixes

  • Improved error handling with clearer messages when reading input from files or stdin.

• Tests

  • Added comprehensive tests validating comma-separated input parsing and various formatting scenarios.

[neo-by-projectdiscovery-dev]

Neo - PR Security Review

No security issues found

Highlights

• Added proper error handling for file close operations with deferred cleanup
• Added scanner error checks for both file and stdin input paths
• Error messages are generic and do not expose sensitive information beyond what the user already provided
• Test coverage added for comma-separated input validation

_{Comment @pdneo help for available commands. · Open in Neo}

[coderabbitai]

Walkthrough

Input parsing now splits each input line on commas, trims whitespace, and enqueues each non-empty segment as a separate input item. File and stdin read errors are wrapped with descriptive messages and returned. Public function signatures remain unchanged.

Changes

Cohort / File(s)	Summary
Input processing & error handling internal/runner/runner.go	Per-line input processing changed to split on commas, trim each item, and queue non-empty entries individually. Added wrapped error returns for failures reading input files and stdin.
Tests - comma-separated inputs internal/runner/runner_test.go	Added tests Test_CommaSeparatedFileInput (duplicated block present) covering comma-separated entries, trimming, trailing commas, host:port, and multi-line scenarios to validate new parsing behavior.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I nibble through lines, then split what I find,
Tiny commas tumble, each token trimmed and lined.
Queued to hop onward, neat entries in play,
I cheer for prefixes that now find their way. 🥕✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: handling comma-separated entries in -l/-list and stdin input, which directly addresses the PR's primary objective.
Linked Issues check	✅ Passed	The PR fully addresses issue #859 by implementing comma-splitting in normalizeAndQueueInputs for both file input (-l) and stdin, achieving parity with -u behavior as required.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to addressing issue #859: modifying normalizeAndQueueInputs logic and adding regression test coverage for comma-separated input parsing.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@internal/runner/runner.go`:
- Around line 439-449: The scanner loops that read from file and stdin use
bufio.NewScanner(file) / bufio.NewScanner(os.Stdin) and call
r.processInputItem(...) for each token but never check scanner.Err(); after each
loop (the file-scanner loop around the call to r.processInputItem and the
stdin-scanner loop) call scanner.Err(), and if non-nil return or propagate that
error (or wrap it with context) instead of silently returning nil so token-size
or I/O errors are not swallowed; update the function to handle and surface these
errors where the scanner variables are defined.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 96b26ef1-e5a1-4bde-8d26-2de2cbc0439b

📥 Commits

Reviewing files that changed from the base of the PR and between d13b67f and c28ca65.

📒 Files selected for processing (1)

• internal/runner/runner.go

[coderabbitai]

🧹 Nitpick comments (1)

internal/runner/runner_test.go (1)

409-413: Consider verifying custom port extraction in the "host with port" test.

The test validates host extraction from example.com:8443,scanme.sh:443 but only checks the host field. Since processInputItem uses custom ports instead of the default when present, verifying the port field would strengthen coverage against regressions in port parsing.

🔧 Optional enhancement to also verify ports

 		{
 			name:     "host with port",
 			content:  "example.com:8443,scanme.sh:443",
-			expected: []string{"example.com", "scanme.sh"},
+			expected: []string{"example.com:8443", "scanme.sh:443"},
 		},

Then update the collection loop to include the port:

 			var hosts []string
 			for task := range inputs {
-				hosts = append(hosts, task.host)
+				hosts = append(hosts, task.host+":"+task.port)
 			}

Alternatively, keep the current test focused on comma-splitting and add a separate subtest for port extraction verification.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@internal/runner/runner_test.go` around lines 409 - 413, The "host with port"
test only asserts the host names but should also verify that processInputItem
correctly parses custom ports; update the test block named "host with port" (and
the loop that collects results) to assert the parsed port values (e.g., expect
8443 for example.com and 443 for scanme.sh) against the produced items' port
field, or add a focused subtest that calls processInputItem with
"example.com:8443,scanme.sh:443" and asserts both host and port for each parsed
item so port-parsing regressions are caught.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@internal/runner/runner_test.go`:
- Around line 409-413: The "host with port" test only asserts the host names but
should also verify that processInputItem correctly parses custom ports; update
the test block named "host with port" (and the loop that collects results) to
assert the parsed port values (e.g., expect 8443 for example.com and 443 for
scanme.sh) against the produced items' port field, or add a focused subtest that
calls processInputItem with "example.com:8443,scanme.sh:443" and asserts both
host and port for each parsed item so port-parsing regressions are caught.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7fd80867-27ca-4da1-973c-2cab3e0adcb1

📥 Commits

Reviewing files that changed from the base of the PR and between c135e77 and a2c6745.

📒 Files selected for processing (1)

• internal/runner/runner_test.go

[Mzack9999]

Thank you for the contribution! This issue has been resolved by #953 which was merged with the same approach along with a dedicated test. Closing as superseded.