Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nil pointer dereference triggered by cors_header setting #1059

Closed
2 tasks done
wolfmd opened this issue May 11, 2021 · 1 comment · Fixed by #1073
Closed
2 tasks done

nil pointer dereference triggered by cors_header setting #1059

wolfmd opened this issue May 11, 2021 · 1 comment · Fixed by #1073
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@wolfmd
Copy link

wolfmd commented May 11, 2021

Confirmation

  • My issue isn't already found on the issue tracker.
  • I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

2.18.0

Affected resource(s)

cloudflare_access_application

Terraform configuration files

resource "cloudflare_access_application" "my_app" {
  account_id       = var.account_id
  name             = "My App"
  domain           = "my-app.mydomain.org"
  session_duration = "24h"

  cors_headers {
    allowed_methods   = ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"]
    allowed_headers   = ["Authorization", "Content-Type", "X-Sudo"]
    allow_credentials = true
    allow_all_origins = true
  }
}

Debug output

No response

Panic output

panic: runtime error: invalid memory address or nil pointer dereference
2021-05-11T15:35:11.083Z [DEBUG] plugin.terraform-provider-cloudflare_v2.18.0: [signal SIGSEGV: segmentation violation code=0x1 addr=0x48 pc=0xfc70a3]
2021-05-11T15:35:11.083Z [DEBUG] plugin.terraform-provider-cloudflare_v2.18.0:
2021-05-11T15:35:11.083Z [DEBUG] plugin.terraform-provider-cloudflare_v2.18.0: goroutine 11614 [running]:
2021-05-11T15:35:11.083Z [DEBUG] plugin.terraform-provider-cloudflare_v2.18.0: github.com/cloudflare/terraform-provider-cloudflare/cloudflare.convertCORSStructToSchema(0xc0004e7420, 0x0, 0xc, 0x110ef00, 0xc0005f7a00)
2021-05-11T15:35:11.083Z [DEBUG] plugin.terraform-provider-cloudflare_v2.18.0: github.com/cloudflare/terraform-provider-cloudflare/cloudflare/resource_cloudflare_access_application.go:380 +0x63
2021-05-11T15:35:11.083Z [DEBUG] plugin.terraform-provider-cloudflare_v2.18.0: github.com/cloudflare/terraform-provider-cloudflare/cloudflare.resourceCloudflareAccessApplicationRead(0xc0004e7420, 0x132fa00, 0xc000662180, 0xc0004e7420, 0x0)
2021-05-11T15:35:11.083Z [DEBUG] plugin.terraform-provider-cloudflare_v2.18.0: github.com/cloudflare/terraform-provider-cloudflare/cloudflare/resource_cloudflare_access_application.go:225 +0x8f2
2021-05-11T15:35:11.083Z [DEBUG] plugin.terraform-provider-cloudflare_v2.18.0: github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Resource).RefreshWithoutUpgrade(0xc00022fa70, 0xc00100be50, 0x132fa00, 0xc000662180, 0xc0009054d0, 0x0, 0x0)
2021-05-11T15:35:11.083Z [DEBUG] plugin.terraform-provider-cloudflare_v2.18.0: github.com/hashicorp/terraform-plugin-sdk@v1.16.0/helper/schema/resource.go:460 +0x129
2021-05-11T15:35:11.083Z [DEBUG] plugin.terraform-provider-cloudflare_v2.18.0: github.com/hashicorp/terraform-plugin-sdk/internal/helper/plugin.(*GRPCProviderServer).ReadResource(0xc0009042b0, 0x1501640, 0xc00075e9f0, 0xc0009bbd40, 0xc0009042b0, 0xc00075e9f0, 0xc000179ba0)
2021-05-11T15:35:11.083Z [DEBUG] plugin.terraform-provider-cloudflare_v2.18.0: github.com/hashicorp/terraform-plugin-sdk@v1.16.0/internal/helper/plugin/grpc_provider.go:525 +0x3dd
2021-05-11T15:35:11.083Z [DEBUG] plugin.terraform-provider-cloudflare_v2.18.0: github.com/hashicorp/terraform-plugin-sdk/internal/tfplugin5._Provider_ReadResource_Handler(0x12ebca0, 0xc0009042b0, 0x1501640, 0xc00075e9f0, 0xc0009bbce0, 0x0, 0x1501640, 0xc00075e9f0, 0xc0004de000, 0x29b)
2021-05-11T15:35:11.083Z [DEBUG] plugin.terraform-provider-cloudflare_v2.18.0: github.com/hashicorp/terraform-plugin-sdk@v1.16.0/internal/tfplugin5/tfplugin5.pb.go:3269 +0x214
2021-05-11T15:35:11.083Z [DEBUG] plugin.terraform-provider-cloudflare_v2.18.0: google.golang.org/grpc.(*Server).processUnaryRPC(0xc00091c380, 0x150ce60, 0xc0005b5980, 0xc000c0c600, 0xc0009530b0, 0x1bf5510, 0x0, 0x0, 0x0)
2021-05-11T15:35:11.083Z [DEBUG] plugin.terraform-provider-cloudflare_v2.18.0: google.golang.org/grpc@v1.30.0/server.go:1171 +0x522
2021-05-11T15:35:11.083Z [DEBUG] plugin.terraform-provider-cloudflare_v2.18.0: google.golang.org/grpc.(*Server).handleStream(0xc00091c380, 0x150ce60, 0xc0005b5980, 0xc000c0c600, 0x0)
2021-05-11T15:35:11.083Z [DEBUG] plugin.terraform-provider-cloudflare_v2.18.0: google.golang.org/grpc@v1.30.0/server.go:1494 +0xcc5
2021-05-11T15:35:11.083Z [DEBUG] plugin.terraform-provider-cloudflare_v2.18.0: google.golang.org/grpc.(*Server).serveStreams.func1.2(0xc0000482b0, 0xc00091c380, 0x150ce60, 0xc0005b5980, 0xc000c0c600)
2021-05-11T15:35:11.083Z [DEBUG] plugin.terraform-provider-cloudflare_v2.18.0: google.golang.org/grpc@v1.30.0/server.go:834 +0xa5
2021-05-11T15:35:11.083Z [DEBUG] plugin.terraform-provider-cloudflare_v2.18.0: created by google.golang.org/grpc.(*Server).serveStreams.func1
2021-05-11T15:35:11.083Z [DEBUG] plugin.terraform-provider-cloudflare_v2.18.0: google.golang.org/grpc@v1.30.0/server.go:832 +0x1fd

Expected output

Trying to run a terraform plan with cors headers of allow_all_origin=true and allow_credential=true should return with a syntax error to prevent it from being applied.

Actual output

When running a plan for the resource above we would have expected a check to have stopped us. CORS headers are not supposed to allow both all origins and credentials (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin#syntax). We were not aware of this at the time so we got reasonable output of

resource "cloudflare_access_application" "my_app" {
        id                        = "<id>"
        name                  = "My App"
        # (8 unchanged attributes hidden)

      + cors_headers {
          + allow_all_origins = true
          + allow_credentials = true
          + allowed_headers   = [
              + "Authorization",
              + "Content-Type",
              + "X-Sudo",
            ]
          + allowed_methods   = [
              + "DELETE",
              + "GET",
              + "OPTIONS",
              + "PATCH",
              + "POST",
              + "PUT",
            ]
        }
    }

when applying the resource above, we received an error in response:

cloudflare_access_application.my_app: Modifying... [id=<id>]

Error: error updating Access Application for account "<account>": error from makeRequest: HTTP status 400: content "{\n  \"result\": null,\n  \"success\": false,\n  \"errors\": [\n    {\n      \"code\": 12058,\n      \"message\": \"access.api.error.invalid_cors_origins\"\n    }\n  ],\n  \"messages\": []\n}\n"

So the API said no, however the terraform state must have committed the change as every subsequent plan returns

Error: rpc error: code = Canceled desc = context canceled

Error: rpc error: code = Canceled desc = context canceled
...

Until the resource is removed from the terraform state. After running

terraform state rm cloudflare_access_application.my_app

we are able to run plans/applies again

Steps to reproduce

  1. Create an access application with cors headers including
  • allow_all_headers: true
  • allow_credentials: true
  1. Run a plan and see that this seems to be a syntactically valid resource
  2. Run apply and see an error showing a failure to apply
  3. Run a state show to see the state object was updated anyway
  4. Run a plan with debug on to see that plans are now blocked on a github.com/cloudflare/terraform-provider-cloudflare/cloudflare.convertCORSStructToSchema panic

Additional factoids

No response

References

No response
@wolfmd wolfmd added kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels May 11, 2021
jacobbednarz added a commit that referenced this issue May 21, 2021
@jacobbednarz
access_application: prevent bad CORS config with allowing all origins…
0298f65 
… and credentials

Updates the Access Application resource to better protect against
scenarios where people unknowning violate a CORS restriction where you
cannot allow all origins and use credentials[1].

The service prevents this however the Terraform resource did not
resulting in bad state if you ever attempted this.

Fixes #1059

[1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials
@jacobbednarz jacobbednarz mentioned this issue May 21, 2021
Merged
@jacobbednarz
Copy link
Member

I've put up a fix for this in #1073 and it will be in the next release that gets tagged soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
None yet
Milestone
No milestone
2 participants
@jacobbednarz @wolfmd