-
Notifications
You must be signed in to change notification settings - Fork 190
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix incorrect use of format strings with the conditions
package.
#1529
Conversation
5a34270
to
0757450
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the findings.
The proposed solution seems good to me. I tried the following to understand it better:
func main() {
msg := "hello %s %A\n"
foo(msg, nil)
foo("%s", msg)
}
func foo(format string, args ...interface{}) {
fmt.Printf(format, args...)
}
Output:
hello %!s(<nil>) %!A(MISSING)
hello %s %A
Adding a simple string verb should be enough.
I've left a few inline comments about the usage of %v
which can be replaced with %s
as we are mostly dealing with message strings.
dffa64a
to
4493237
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Thanks.
Please rebase.
Many of the functions in the `conditions` package accept a format string and (optional) arguments, just like `fmt.Printf` and friends. In many places, the code passed an error message as the format string, causing it to be interpreted by the `fmt` package. This leads to issues when the message contains percent signs, e.g. URL-encoded values. Consider the following code: ```go // internal/controller/ocirepository_controller.go revision, err := r.getRevision(ref, opts) if err != nil { e := serror.NewGeneric( fmt.Errorf("failed to determine artifact digest: %w", err), ociv1.OCIPullFailedReason, ) conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error()) return sreconcile.ResultEmpty, e } ``` Since `getRevision()` includes the URL in the error message and the error message is used as a format string, the resulting condition reads: ``` failed to determine artifact digest: GET https://gitlab.com/jwt/auth?scope=repository%!A(MISSING)fforster%!F(MISSING)<REDACTED>%!F(MISSING)k8s-resource-manifests%!A(MISSING)pull&service=container_registry: DENIED: access forbidden ``` This adds an explicit format string and shortens `e.Error()` and `e.Err.Error()` to `e`, which yields the same output. To the best of my knowledge, Go is safe from format string attacks. I **don't** think this is a security vulnerability, but I'm also not a security expert. Signed-off-by: Florian Forster <[email protected]>
The `String()` method is only defined for the pointer receiver. Signed-off-by: Florian Forster <[email protected]>
Signed-off-by: Florian Forster <[email protected]>
4493237
to
277e5c1
Compare
Thank you so much for the review! ✅ rebased onto |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thanks @octo 🥇
PS. This issue is present in all controllers. It would be great If you have time to help us fixing this everywhere. URLs are logged in many places, for example image-reflector-controller.
Backport failed for Please cherry-pick the changes locally and resolve any conflicts. git fetch origin release/v1.3.x
git worktree add -d .worktree/backport-1529-to-release/v1.3.x origin/release/v1.3.x
cd .worktree/backport-1529-to-release/v1.3.x
git switch --create backport-1529-to-release/v1.3.x
git cherry-pick -x 8be37ef1d2dc6655143e6499073643e08ca0b9ba fa3022443ce5aa91aaf959be66a988b0bc93fac0 277e5c1d55b1d430ce5ef4e2c80f1ef45e05ea7b |
The `Mark…` functions in the `conditions` package accept a format string and (optional) arguments, just like `fmt.Printf` and friends. In many places, the code passed an error message as the format string, causing it to be interpreted as a format string by the `fmt` package. This leads to issues when the message contains percent signs, e.g. URL-encoded values. This PR adds a format string and shortens `err.Error()` to `err`, which yields the same output. This change is identical in principle to fluxcd/source-controller#1529. Signed-off-by: Florian Forster <[email protected]>
The `Mark…` functions in the `conditions` package accept a format string and (optional) arguments, just like `fmt.Printf` and friends. In many places, the code passed an error message as the format string, causing it to be interpreted as a format string by the `fmt` package. This leads to issues when the message contains percent signs, e.g. URL-encoded values. This PR adds a format string and shortens `err.Error()` to `err`, which yields the same output. This change is identical in principle to fluxcd/source-controller#1529. Signed-off-by: Florian Forster <[email protected]> (cherry picked from commit ad38b1c)
The `Mark…` functions in the `conditions` package accept a format string and (optional) arguments, just like `fmt.Printf` and friends. In many places, the code passed an error message as the format string, causing it to be interpreted as a format string by the `fmt` package. This leads to issues when the message contains percent signs, e.g. URL-encoded values. This PR adds a format string and shortens `err.Error()` to `err`, which yields the same output. This change is identical in principle to fluxcd/source-controller#1529. Signed-off-by: Florian Forster <[email protected]>
The `Mark…` functions in the `conditions` package accept a format string and (optional) arguments, just like `fmt.Printf` and friends. In many places, the code passed an error message as the format string, causing it to be interpreted as a format string by the `fmt` package. This leads to issues when the message contains percent signs, e.g. URL-encoded values. This PR adds a format string and shortens `err.Error()` to `err`, which yields the same output. This change is identical in principle to fluxcd/source-controller#1529. Signed-off-by: Florian Forster <[email protected]>
The `Mark…` functions in the `conditions` package accept a format string and (optional) arguments, just like `fmt.Printf` and friends. In many places, the code passed an error message as the format string, causing it to be interpreted as a format string by the `fmt` package. This leads to issues when the message contains percent signs, e.g. URL-encoded values. This PR adds a format string and shortens `err.Error()` to `err`, which yields the same output. This change is identical in principle to fluxcd/source-controller#1529. Signed-off-by: Florian Forster <[email protected]>
The `Mark…` functions in the `conditions` package accept a format string and (optional) arguments, just like `fmt.Printf` and friends. In many places, the code passed an error message as the format string, causing it to be interpreted as a format string by the `fmt` package. This leads to issues when the message contains percent signs, e.g. URL-encoded values. This PR adds a format string and shortens `err.Error()` to `err`, which yields the same output. This change is identical in principle to fluxcd/source-controller#1529. Signed-off-by: Florian Forster <[email protected]>
@stefanprodan I have opened PRs for:
Already merged:
Did I miss any controllers that might need some TLC? |
@octo only helm-controller left. Thanks a lot for all the help! |
Only missed that in my listing. PR is here: fluxcd/helm-controller#1025 |
The `Mark…` functions in the `conditions` package accept a format string and (optional) arguments, just like `fmt.Printf` and friends. In many places, the code passed an error message as the format string, causing it to be interpreted as a format string by the `fmt` package. This leads to issues when the message contains percent signs, e.g. URL-encoded values. This PR adds a format string and shortens `err.Error()` to `err`, which yields the same output. This change is identical in principle to fluxcd/source-controller#1529. Signed-off-by: Florian Forster <[email protected]>
The `Mark…` functions in the `conditions` package accept a format string and (optional) arguments, just like `fmt.Printf` and friends. In many places, the code passed an error message as the format string, causing it to be interpreted as a format string by the `fmt` package. This leads to issues when the message contains percent signs, e.g. URL-encoded values. This PR adds a format string and shortens `err.Error()` to `err`, which yields the same output. This change is identical in principle to fluxcd/source-controller#1529. Signed-off-by: Florian Forster <[email protected]>
The `Mark…` functions in the `conditions` package accept a format string and (optional) arguments, just like `fmt.Printf` and friends. In many places, the code passed an error message as the format string, causing it to be interpreted as a format string by the `fmt` package. This leads to issues when the message contains percent signs, e.g. URL-encoded values. This PR adds a format string and shortens `err.Error()` to `err`, which yields the same output. This change is identical in principle to fluxcd/source-controller#1529. Signed-off-by: Florian Forster <[email protected]> (cherry picked from commit 1f4cdff)
The `Mark…` functions in the `conditions` package accept a format string and (optional) arguments, just like `fmt.Printf` and friends. In many places, the code passed an error message as the format string, causing it to be interpreted as a format string by the `fmt` package. This leads to issues when the message contains percent signs, e.g. URL-encoded values. This PR adds a format string and shortens `err.Error()` to `err`, which yields the same output. This change is identical in principle to fluxcd/source-controller#1529. Signed-off-by: Florian Forster <[email protected]> (cherry picked from commit c94eb8e)
The `Mark…` functions in the `conditions` package accept a format string and (optional) arguments, just like `fmt.Printf` and friends. In many places, the code passed an error message as the format string, causing it to be interpreted as a format string by the `fmt` package. This leads to issues when the message contains percent signs, e.g. URL-encoded values. This PR adds a format string and shortens `err.Error()` to `err`, which yields the same output. This change is identical in principle to fluxcd/source-controller#1529. Signed-off-by: Florian Forster <[email protected]>
Many of the functions in the
conditions
package accept a format string and (optional) arguments, just likefmt.Printf
and friends.In many places, the code passed an error message as the format string, causing it to be interpreted by the
fmt
package. This leads to issues when the message contains percent signs, e.g. URL-encoded values.Consider the following code:
Since
getRevision()
includes the URL in the error message and the error message is used as a format string, the resulting condition reads:This PR adds an explicit format string and shortens
e.Error()
ande.Err.Error()
toe
, which yields the same output.To the best of my knowledge, Go is safe from format string attacks. I don't think this is a security vulnerability, but I'm also not a security expert.