[Fix] - Fuzz tests, linting, http methods (#94)

* feat(email): block header injection in template aliases

Add validation to detect and reject template aliases containing
carriage returns or line feeds to prevent header injection attacks.

Apply this validation in SendTemplatedEmail and SendTemplatedEmailBatch
to ensure all template aliases are safe before sending emails.

Include comprehensive tests to verify valid aliases pass and
malicious aliases trigger errors, enhancing email security.

* refactor: use http.Method constants for HTTP requests

Replace string literals for HTTP methods with the standard
net/http.MethodGet, MethodPost, MethodDelete, etc. constants
across multiple packages and files including inbound_rules_triggers,
bounce, sender_signatures, data_removals, email, and the test router.

This improves code readability, consistency, and reduces the risk
of typos in method strings. Additionally, update TestRouter to use
http.Request parameter names and method constants for clarity.

* refactor: use http.Method constants and add PushTemplates tests

Replace raw HTTP method strings with standard http.Method constants  
throughout template client methods for improved consistency and clarity.

Add comprehensive tests for PushTemplates API including simulation mode,  
verifying request payload, headers, and response unmarshaling to ensure  
correct client behavior and robustness when pushing templates between servers.

Author: mrz1836

bounce.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"net/http"
 	"net/url"
 	"time"
 )
@@ -32,7 +33,7 @@ func (client *Client) GetDeliveryStats(ctx context.Context) (DeliveryStats, erro
 	res := DeliveryStats{}
 	path := "deliverystats"
 	err := client.doRequest(ctx, parameters{
-		Method:    "GET",
+		Method:    http.MethodGet,
 		Path:      path,
 		TokenType: serverToken,
 	}, &res)
@@ -99,7 +100,7 @@ func (client *Client) GetBounces(ctx context.Context, count, offset int64, optio
 	path := fmt.Sprintf("bounces?%s", values.Encode())
 
 	err := client.doRequest(ctx, parameters{
-		Method:    "GET",
+		Method:    http.MethodGet,
 		Path:      path,
 		TokenType: serverToken,
 	}, &res)
@@ -111,7 +112,7 @@ func (client *Client) GetBounce(ctx context.Context, bounceID int64) (Bounce, er
 	res := Bounce{}
 	path := fmt.Sprintf("bounces/%v", bounceID)
 	err := client.doRequest(ctx, parameters{
-		Method:    "GET",
+		Method:    http.MethodGet,
 		Path:      path,
 		TokenType: serverToken,
 	}, &res)
@@ -127,7 +128,7 @@ func (client *Client) GetBounceDump(ctx context.Context, bounceID int64) (string
 	res := dumpResponse{}
 	path := fmt.Sprintf("bounces/%v/dump", bounceID)
 	err := client.doRequest(ctx, parameters{
-		Method:    "GET",
+		Method:    http.MethodGet,
 		Path:      path,
 		TokenType: serverToken,
 	}, &res)
@@ -146,7 +147,7 @@ func (client *Client) ActivateBounce(ctx context.Context, bounceID int64) (Bounc
 	res := activateBounceResponse{}
 	path := fmt.Sprintf("bounces/%v/activate", bounceID)
 	err := client.doRequest(ctx, parameters{
-		Method:    "PUT",
+		Method:    http.MethodPut,
 		Path:      path,
 		TokenType: serverToken,
 	}, &res)
@@ -162,7 +163,7 @@ func (client *Client) GetBouncedTags(ctx context.Context) ([]string, error) {
 	var raw json.RawMessage
 	path := "bounces/tags"
 	err := client.doRequest(ctx, parameters{
-		Method:    "GET",
+		Method:    http.MethodGet,
 		Path:      path,
 		TokenType: serverToken,
 	}, &raw)

data_removals.go

@@ -3,6 +3,7 @@ package postmark
 import (
 	"context"
 	"fmt"
+	"net/http"
 	"time"
 )
 
@@ -30,7 +31,7 @@ type DataRemovalResponse struct {
 func (client *Client) CreateDataRemoval(ctx context.Context, request DataRemovalRequest) (DataRemovalResponse, error) {
 	res := DataRemovalResponse{}
 	err := client.doRequest(ctx, parameters{
-		Method:    "POST",
+		Method:    http.MethodPost,
 		Path:      "data-removals",
 		Payload:   request,
 		TokenType: accountToken,
@@ -42,7 +43,7 @@ func (client *Client) CreateDataRemoval(ctx context.Context, request DataRemoval
 func (client *Client) GetDataRemovalStatus(ctx context.Context, id int64) (DataRemovalResponse, error) {
 	res := DataRemovalResponse{}
 	err := client.doRequest(ctx, parameters{
-		Method:    "GET",
+		Method:    http.MethodGet,
 		Path:      fmt.Sprintf("data-removals/%d", id),
 		TokenType: accountToken,
 	}, &res)

domains.go

@@ -111,7 +111,7 @@ func (client *Client) GetDomains(ctx context.Context, count, offset int) (Domain
 	values.Add("offset", fmt.Sprintf("%d", offset))
 
 	err := client.doRequest(ctx, parameters{
-		Method:    "GET",
+		Method:    http.MethodGet,
 		Path:      fmt.Sprintf("domains?%s", values.Encode()),
 		TokenType: accountToken,
 	}, &res)

email.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net/http"
 	"time"
 )
 
@@ -85,7 +86,7 @@ type EmailResponse struct {
 func (client *Client) SendEmail(ctx context.Context, email Email) (EmailResponse, error) {
 	res := EmailResponse{}
 	err := client.doRequest(ctx, parameters{
-		Method:    "POST",
+		Method:    http.MethodPost,
 		Path:      "email",
 		Payload:   email,
 		TokenType: serverToken,
@@ -104,7 +105,7 @@ func (client *Client) SendEmail(ctx context.Context, email Email) (EmailResponse
 func (client *Client) SendEmailBatch(ctx context.Context, emails []Email) ([]EmailResponse, error) {
 	var res []EmailResponse
 	err := client.doRequest(ctx, parameters{
-		Method:    "POST",
+		Method:    http.MethodPost,
 		Path:      "email/batch",
 		Payload:   emails,
 		TokenType: serverToken,

inbound_rules_triggers.go

@@ -3,6 +3,7 @@ package postmark
 import (
 	"context"
 	"fmt"
+	"net/http"
 	"net/url"
 )
 
@@ -38,7 +39,7 @@ func (client *Client) GetInboundRuleTriggers(ctx context.Context, count, offset
 	values.Add("offset", fmt.Sprintf("%d", offset))
 
 	err := client.doRequest(ctx, parameters{
-		Method:    "GET",
+		Method:    http.MethodGet,
 		Path:      fmt.Sprintf("triggers/inboundrules?%s", values.Encode()),
 		TokenType: serverToken,
 	}, &res)
@@ -55,7 +56,7 @@ func (client *Client) CreateInboundRuleTrigger(ctx context.Context, rule string)
 	}
 
 	err := client.doRequest(ctx, parameters{
-		Method:    "POST",
+		Method:    http.MethodPost,
 		Path:      "triggers/inboundrules",
 		Payload:   requestData,
 		TokenType: serverToken,
@@ -68,7 +69,7 @@ func (client *Client) CreateInboundRuleTrigger(ctx context.Context, rule string)
 func (client *Client) DeleteInboundRuleTrigger(ctx context.Context, triggerID int64) error {
 	res := APIError{}
 	err := client.doRequest(ctx, parameters{
-		Method:    "DELETE",
+		Method:    http.MethodDelete,
 		Path:      fmt.Sprintf("triggers/inboundrules/%d", triggerID),
 		TokenType: serverToken,
 	}, &res)

messages_inbound.go

@@ -3,6 +3,7 @@ package postmark
 import (
 	"context"
 	"fmt"
+	"net/http"
 	"net/mail"
 	"net/url"
 	"time"
@@ -61,7 +62,7 @@ func (x InboundMessage) Time() (time.Time, error) {
 func (client *Client) GetInboundMessage(ctx context.Context, messageID string) (InboundMessage, error) {
 	res := InboundMessage{}
 	err := client.doRequest(ctx, parameters{
-		Method:    "GET",
+		Method:    http.MethodGet,
 		Path:      fmt.Sprintf("messages/inbound/%s/details", messageID),
 		TokenType: serverToken,
 	}, &res)
@@ -88,7 +89,7 @@ func (client *Client) GetInboundMessages(ctx context.Context, count, offset int6
 	}
 
 	err := client.doRequest(ctx, parameters{
-		Method:    "GET",
+		Method:    http.MethodGet,
 		Path:      fmt.Sprintf("messages/inbound?%s", values.Encode()),
 		TokenType: serverToken,
 	}, &res)
@@ -100,7 +101,7 @@ func (client *Client) GetInboundMessages(ctx context.Context, count, offset int6
 func (client *Client) BypassInboundMessage(ctx context.Context, messageID string) error {
 	res := APIError{}
 	err := client.doRequest(ctx, parameters{
-		Method:    "PUT",
+		Method:    http.MethodPut,
 		Path:      fmt.Sprintf("messages/inbound/%s/bypass", messageID),
 		TokenType: serverToken,
 	}, &res)
@@ -116,7 +117,7 @@ func (client *Client) BypassInboundMessage(ctx context.Context, messageID string
 func (client *Client) RetryInboundMessage(ctx context.Context, messageID string) error {
 	res := APIError{}
 	err := client.doRequest(ctx, parameters{
-		Method:    "PUT",
+		Method:    http.MethodPut,
 		Path:      fmt.Sprintf("messages/inbound/%s/retry", messageID),
 		TokenType: serverToken,
 	}, &res)

messages_outbound.go

@@ -3,6 +3,7 @@ package postmark
 import (
 	"context"
 	"fmt"
+	"net/http"
 	"net/url"
 	"time"
 )
@@ -66,7 +67,7 @@ type MessageEvent struct {
 func (client *Client) GetOutboundMessage(ctx context.Context, messageID string) (OutboundMessage, error) {
 	res := OutboundMessage{}
 	err := client.doRequest(ctx, parameters{
-		Method:    "GET",
+		Method:    http.MethodGet,
 		Path:      fmt.Sprintf("messages/outbound/%s/details", messageID),
 		TokenType: serverToken,
 	}, &res)
@@ -77,7 +78,7 @@ func (client *Client) GetOutboundMessage(ctx context.Context, messageID string)
 func (client *Client) GetOutboundMessageDump(ctx context.Context, messageID string) (string, error) {
 	res := dumpResponse{}
 	err := client.doRequest(ctx, parameters{
-		Method:    "GET",
+		Method:    http.MethodGet,
 		Path:      fmt.Sprintf("messages/outbound/%s/dump", messageID),
 		TokenType: serverToken,
 	}, &res)
@@ -105,7 +106,7 @@ func (client *Client) GetOutboundMessages(ctx context.Context, count, offset int
 	}
 
 	err := client.doRequest(ctx, parameters{
-		Method:    "GET",
+		Method:    http.MethodGet,
 		Path:      fmt.Sprintf("messages/outbound?%s", values.Encode()),
 		TokenType: serverToken,
 	}, &res)
@@ -188,7 +189,7 @@ func (client *Client) GetOutboundMessagesOpens(ctx context.Context, count, offse
 	}
 
 	err := client.doRequest(ctx, parameters{
-		Method:    "GET",
+		Method:    http.MethodGet,
 		Path:      fmt.Sprintf("messages/outbound/opens?%s", values.Encode()),
 		TokenType: serverToken,
 	}, &res)
@@ -205,7 +206,7 @@ func (client *Client) GetOutboundMessageOpens(ctx context.Context, messageID str
 	values.Add("offset", fmt.Sprintf("%d", offset))
 
 	err := client.doRequest(ctx, parameters{
-		Method:    "GET",
+		Method:    http.MethodGet,
 		Path:      fmt.Sprintf("messages/outbound/opens/%s?%s", messageID, values.Encode()),
 		TokenType: serverToken,
 	}, &res)
@@ -228,7 +229,7 @@ func (client *Client) GetOutboundMessagesClicks(ctx context.Context, count, offs
 	}
 
 	err := client.doRequest(ctx, parameters{
-		Method:    "GET",
+		Method:    http.MethodGet,
 		Path:      fmt.Sprintf("messages/outbound/clicks?%s", values.Encode()),
 		TokenType: serverToken,
 	}, &res)
@@ -245,7 +246,7 @@ func (client *Client) GetOutboundMessageClicks(ctx context.Context, messageID st
 	values.Add("offset", fmt.Sprintf("%d", offset))
 
 	err := client.doRequest(ctx, parameters{
-		Method:    "GET",
+		Method:    http.MethodGet,
 		Path:      fmt.Sprintf("messages/outbound/clicks/%s?%s", messageID, values.Encode()),
 		TokenType: serverToken,
 	}, &res)

postmark_fuzz_test.go

@@ -46,7 +46,7 @@ func FuzzDoRequestJSONUnmarshal(f *testing.F) {
 
 		// Test that the function doesn't panic with malformed JSON
 		err := client.doRequest(context.Background(), parameters{
-			Method:    "GET",
+			Method:    http.MethodGet,
 			Path:      "test",
 			TokenType: serverToken,
 		}, &result)
@@ -97,7 +97,7 @@ func FuzzAPIErrorHandling(f *testing.F) {
 		var result map[string]interface{}
 
 		err := client.doRequest(context.Background(), parameters{
-			Method:    "GET",
+			Method:    http.MethodGet,
 			Path:      "test",
 			TokenType: serverToken,
 		}, &result)
@@ -175,7 +175,7 @@ func FuzzJSONPayloadMarshaling(f *testing.F) {
 
 		// Test that marshaling doesn't panic with complex payloads
 		err := client.doRequest(context.Background(), parameters{
-			Method:    "POST",
+			Method:    http.MethodPost,
 			Path:      "test",
 			Payload:   payload,
 			TokenType: serverToken,

postmark_test.go

@@ -56,7 +56,7 @@ func (s *PostmarkTestSuite) TestDoRequestWithPayload() {
 
 	var result map[string]string
 	err := s.client.doRequest(context.Background(), parameters{
-		Method:    "POST",
+		Method:    http.MethodPost,
 		Path:      "test",
 		TokenType: serverToken,
 		Payload:   payload,
@@ -77,7 +77,7 @@ func (s *PostmarkTestSuite) TestDoRequestWithAccountToken() {
 
 	var result map[string]string
 	err := s.client.doRequest(context.Background(), parameters{
-		Method:    "GET",
+		Method:    http.MethodGet,
 		Path:      "account-test",
 		TokenType: accountToken,
 	}, &result)
@@ -94,7 +94,7 @@ func (s *PostmarkTestSuite) TestDoRequestHTTPError() {
 
 	var result map[string]string
 	err := s.client.doRequest(context.Background(), parameters{
-		Method:    "GET",
+		Method:    http.MethodGet,
 		Path:      "error-test",
 		TokenType: serverToken,
 	}, &result)
@@ -108,7 +108,7 @@ func (s *PostmarkTestSuite) TestDoRequestContextCancellation() {
 
 	var result map[string]string
 	err := s.client.doRequest(ctx, parameters{
-		Method:    "GET",
+		Method:    http.MethodGet,
 		Path:      "test",
 		TokenType: serverToken,
 	}, &result)
@@ -124,7 +124,7 @@ func (s *PostmarkTestSuite) TestDoRequestInvalidJSON() {
 
 	var result map[string]string
 	err := s.client.doRequest(context.Background(), parameters{
-		Method:    "GET",
+		Method:    http.MethodGet,
 		Path:      "invalid-json",
 		TokenType: serverToken,
 	}, &result)

sender_signatures.go

@@ -132,7 +132,7 @@ func (client *Client) GetSenderSignatures(ctx context.Context, count, offset int
 	values.Add("offset", fmt.Sprintf("%d", offset))
 
 	err := client.doRequest(ctx, parameters{
-		Method:    "GET",
+		Method:    http.MethodGet,
 		Path:      fmt.Sprintf("senders?%s", values.Encode()),
 		TokenType: accountToken,
 	}, &res)