fix: stop treating semicolons as query parameter separators

[veeceey]

Summary

• Fixes [BUG] Semicolon unduly acts as separator for query parameters (thereby creating a parser differential) #781: findFirstQueryKey previously split query parameters on both & and ; (bytes.IndexAny(foundKey, "&;")), but Go's net/url stopped treating semicolons as separators in Go 1.17, per the URL Living Standard. This created a parser differential between mux.Vars(r) and r.URL.Query() that could lead to security vulnerabilities (broken access control, web cache poisoning via query-parameter cloaking).
• Changes bytes.IndexAny(foundKey, "&;") to bytes.IndexByte(foundKey, '&') so only ampersands are recognized as query-parameter separators.
• Adds explicit test cases verifying that semicolons are not treated as separators, and that the parser differential from issue [BUG] Semicolon unduly acts as separator for query parameters (thereby creating a parser differential) #781 is resolved.
• Removes now-incorrect semicolon-based test cases from the existing test suite and benchmarks.

Security context

When findFirstQueryKey splits on ;, an attacker can craft a URL like ?a;id=42&id=1 where:

• r.URL.Query().Get("id") returns "1" (net/url ignores the semicolon-separated part)
• mux.Vars(r)["id"] returned "42" (mux split on the semicolon)

This differential can bypass authorization checks that use r.URL.Query() while the handler acts on mux.Vars().

Test plan

• All existing tests pass (go test ./...)
• New Test_findFirstQueryKey_semicolonIsNotSeparator test verifies:
  • Semicolons in values are not treated as separators (a=1;b=2 -> key a has value 1;b=2)
  • No parser differential with net/url (a;id=42&id=1 -> key id resolves to 1)
  • Mixed semicolons and ampersands only split on ampersands
• go vet ./... passes cleanly

🤖 Generated with Claude Code