Fix incorrect use of format strings with the conditions package.
#1529
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
octo
force-pushed
the
fix-conditions-usage
branch
from
5a34270
to
0757450
Compare
darkowlzz
reviewed
Jun 26, 2024
There was a problem hiding this comment.
Thanks for the findings.
The proposed solution seems good to me. I tried the following to understand it better:
func main() {
msg := "hello %s %A\n"
foo(msg, nil)
foo("%s", msg)
}
func foo(format string, args ...interface{}) {
fmt.Printf(format, args...)
}Output:
hello %!s(<nil>) %!A(MISSING)
hello %s %AAdding a simple string verb should be enough.
I've left a few inline comments about the usage of %v which can be replaced with %s as we are mostly dealing with message strings.
octo
force-pushed
the
fix-conditions-usage
branch
2 times, most recently
from
dffa64a
to
4493237
Compare
darkowlzz
approved these changes
Jul 5, 2024
Many of the functions in the `conditions` package accept a format string and
(optional) arguments, just like `fmt.Printf` and friends.
In many places, the code passed an error message as the format string, causing
it to be interpreted by the `fmt` package. This leads to issues when the
message contains percent signs, e.g. URL-encoded values.
Consider the following code:
```go
// internal/controller/ocirepository_controller.go
revision, err := r.getRevision(ref, opts)
if err != nil {
e := serror.NewGeneric(
fmt.Errorf("failed to determine artifact digest: %w", err),
ociv1.OCIPullFailedReason,
)
conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error())
return sreconcile.ResultEmpty, e
}
```
Since `getRevision()` includes the URL in the error message and the error
message is used as a format string, the resulting condition reads:
```
failed to determine artifact digest: GET https://gitlab.com/jwt/auth?scope=repository%!A(MISSING)fforster%!F(MISSING)<REDACTED>%!F(MISSING)k8s-resource-manifests%!A(MISSING)pull&service=container_registry: DENIED: access forbidden
```
This adds an explicit format string and shortens `e.Error()` and
`e.Err.Error()` to `e`, which yields the same output.
To the best of my knowledge, Go is safe from format string attacks. I **don't**
think this is a security vulnerability, but I'm also not a security expert.
Signed-off-by: Florian Forster <[email protected]>
The `String()` method is only defined for the pointer receiver. Signed-off-by: Florian Forster <[email protected]>
Signed-off-by: Florian Forster <[email protected]>
octo
force-pushed
the
fix-conditions-usage
branch
from
4493237
to
277e5c1
Compare
Thank you so much for the review! ✅ rebased onto |
stefanprodan
approved these changes
Jul 5, 2024
There was a problem hiding this comment.
LGTM
Thanks @octo 🥇
PS. This issue is present in all controllers. It would be great If you have time to help us fixing this everywhere. URLs are logged in many places, for example image-reflector-controller.
|
Backport failed for Please cherry-pick the changes locally and resolve any conflicts. git fetch origin release/v1.3.x
git worktree add -d .worktree/backport-1529-to-release/v1.3.x origin/release/v1.3.x
cd .worktree/backport-1529-to-release/v1.3.x
git switch --create backport-1529-to-release/v1.3.x
git cherry-pick -x 8be37ef1d2dc6655143e6499073643e08ca0b9ba fa3022443ce5aa91aaf959be66a988b0bc93fac0 277e5c1d55b1d430ce5ef4e2c80f1ef45e05ea7b |
octo
added a commit
to octo/flux-kustomize-controller
that referenced
this pull request
Jul 8, 2024
The `Mark…` functions in the `conditions` package accept a format string and (optional) arguments, just like `fmt.Printf` and friends. In many places, the code passed an error message as the format string, causing it to be interpreted as a format string by the `fmt` package. This leads to issues when the message contains percent signs, e.g. URL-encoded values. This PR adds a format string and shortens `err.Error()` to `err`, which yields the same output. This change is identical in principle to fluxcd/source-controller#1529. Signed-off-by: Florian Forster <[email protected]>
github-actions bot
pushed a commit
to fluxcd/kustomize-controller
that referenced
this pull request
Jul 8, 2024
The `Mark…` functions in the `conditions` package accept a format string and (optional) arguments, just like `fmt.Printf` and friends. In many places, the code passed an error message as the format string, causing it to be interpreted as a format string by the `fmt` package. This leads to issues when the message contains percent signs, e.g. URL-encoded values. This PR adds a format string and shortens `err.Error()` to `err`, which yields the same output. This change is identical in principle to fluxcd/source-controller#1529. Signed-off-by: Florian Forster <[email protected]> (cherry picked from commit ad38b1c)
octo
added a commit
to octo/flux-helm-controller
that referenced
this pull request
Jul 12, 2024
The `Mark…` functions in the `conditions` package accept a format string and (optional) arguments, just like `fmt.Printf` and friends. In many places, the code passed an error message as the format string, causing it to be interpreted as a format string by the `fmt` package. This leads to issues when the message contains percent signs, e.g. URL-encoded values. This PR adds a format string and shortens `err.Error()` to `err`, which yields the same output. This change is identical in principle to fluxcd/source-controller#1529. Signed-off-by: Florian Forster <[email protected]>
octo
added a commit
to octo/flux-notification-controller
that referenced
this pull request
Jul 12, 2024
The `Mark…` functions in the `conditions` package accept a format string and (optional) arguments, just like `fmt.Printf` and friends. In many places, the code passed an error message as the format string, causing it to be interpreted as a format string by the `fmt` package. This leads to issues when the message contains percent signs, e.g. URL-encoded values. This PR adds a format string and shortens `err.Error()` to `err`, which yields the same output. This change is identical in principle to fluxcd/source-controller#1529. Signed-off-by: Florian Forster <[email protected]>
octo
added a commit
to octo/flux-image-automation-controller
that referenced
this pull request
Jul 12, 2024
The `Mark…` functions in the `conditions` package accept a format string and (optional) arguments, just like `fmt.Printf` and friends. In many places, the code passed an error message as the format string, causing it to be interpreted as a format string by the `fmt` package. This leads to issues when the message contains percent signs, e.g. URL-encoded values. This PR adds a format string and shortens `err.Error()` to `err`, which yields the same output. This change is identical in principle to fluxcd/source-controller#1529. Signed-off-by: Florian Forster <[email protected]>
octo
added a commit
to octo/flux-image-reflector-controller
that referenced
this pull request
Jul 12, 2024
The `Mark…` functions in the `conditions` package accept a format string and (optional) arguments, just like `fmt.Printf` and friends. In many places, the code passed an error message as the format string, causing it to be interpreted as a format string by the `fmt` package. This leads to issues when the message contains percent signs, e.g. URL-encoded values. This PR adds a format string and shortens `err.Error()` to `err`, which yields the same output. This change is identical in principle to fluxcd/source-controller#1529. Signed-off-by: Florian Forster <[email protected]>
@stefanprodan I have opened PRs for:
Already merged:
Did I miss any controllers that might need some TLC? |
|
@octo only helm-controller left. Thanks a lot for all the help! |
Only missed that in my listing. PR is here: fluxcd/helm-controller#1025 |
octo
added a commit
to octo/flux-helm-controller
that referenced
this pull request
Jul 12, 2024
The `Mark…` functions in the `conditions` package accept a format string and (optional) arguments, just like `fmt.Printf` and friends. In many places, the code passed an error message as the format string, causing it to be interpreted as a format string by the `fmt` package. This leads to issues when the message contains percent signs, e.g. URL-encoded values. This PR adds a format string and shortens `err.Error()` to `err`, which yields the same output. This change is identical in principle to fluxcd/source-controller#1529. Signed-off-by: Florian Forster <[email protected]>
octo
added a commit
to octo/flux-helm-controller
that referenced
this pull request
Jul 12, 2024
The `Mark…` functions in the `conditions` package accept a format string and (optional) arguments, just like `fmt.Printf` and friends. In many places, the code passed an error message as the format string, causing it to be interpreted as a format string by the `fmt` package. This leads to issues when the message contains percent signs, e.g. URL-encoded values. This PR adds a format string and shortens `err.Error()` to `err`, which yields the same output. This change is identical in principle to fluxcd/source-controller#1529. Signed-off-by: Florian Forster <[email protected]>
github-actions bot
pushed a commit
to fluxcd/notification-controller
that referenced
this pull request
Jul 12, 2024
The `Mark…` functions in the `conditions` package accept a format string and (optional) arguments, just like `fmt.Printf` and friends. In many places, the code passed an error message as the format string, causing it to be interpreted as a format string by the `fmt` package. This leads to issues when the message contains percent signs, e.g. URL-encoded values. This PR adds a format string and shortens `err.Error()` to `err`, which yields the same output. This change is identical in principle to fluxcd/source-controller#1529. Signed-off-by: Florian Forster <[email protected]> (cherry picked from commit 1f4cdff)
github-actions bot
pushed a commit
to fluxcd/helm-controller
that referenced
this pull request
Jul 12, 2024
The `Mark…` functions in the `conditions` package accept a format string and (optional) arguments, just like `fmt.Printf` and friends. In many places, the code passed an error message as the format string, causing it to be interpreted as a format string by the `fmt` package. This leads to issues when the message contains percent signs, e.g. URL-encoded values. This PR adds a format string and shortens `err.Error()` to `err`, which yields the same output. This change is identical in principle to fluxcd/source-controller#1529. Signed-off-by: Florian Forster <[email protected]> (cherry picked from commit c94eb8e)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Many of the functions in the
conditionspackage accept a format string and (optional) arguments, just likefmt.Printfand friends.In many places, the code passed an error message as the format string, causing it to be interpreted by the
fmtpackage. This leads to issues when the message contains percent signs, e.g. URL-encoded values.Consider the following code:
Since
getRevision()includes the URL in the error message and the error message is used as a format string, the resulting condition reads:This PR adds an explicit format string and shortens
e.Error()ande.Err.Error()toe, which yields the same output.To the best of my knowledge, Go is safe from format string attacks. I don't think this is a security vulnerability, but I'm also not a security expert.