decryptor: recover from SOPS store panic

Based on user reports, there seems to be a small chance for the underlying SOPS store implementation to panic when a user provides input and/or output format instructions which do not actually match the type of the file. Recover from this to ensure continuity of operations. Signed-off-by: Hidde Beydals <hello@hidde.co>
fluxcd · Jul 1, 2022 · 5aee735 · 5aee735
1 parent db3c321
commit 5aee735
Showing 1 changed file with 13 additions and 3 deletions.
diff --git a/controllers/kustomization_decryptor.go b/controllers/kustomization_decryptor.go
@@ -57,7 +57,7 @@ const (
 	// DecryptionProviderSOPS is the SOPS provider name.
 	DecryptionProviderSOPS = "sops"
 	// DecryptionPGPExt is the extension of the file containing an armored PGP
-	//key.
+	// key.
 	DecryptionPGPExt = ".asc"
 	// DecryptionAgeExt is the extension of the file containing an age key
 	// file.
@@ -235,7 +235,8 @@ func (d *KustomizeDecryptor) ImportKeys(ctx context.Context) error {
 			case filepath.Ext(DecryptionAWSKmsFile):
 				if name == DecryptionAWSKmsFile {
 					if d.awsCredsProvider, err = awskms.LoadCredsProviderFromYaml(value); err != nil {
-						return fmt.Errorf("failed to import '%s' data from %s decryption Secret '%s': %w", name, provider, secretName, err)
+						return fmt.Errorf("failed to import '%s' data from %s decryption Secret '%s': %w", name,
+							provider, secretName, err)
 					}
 				}
 			case filepath.Ext(DecryptionAzureAuthFile):
@@ -263,7 +264,16 @@ func (d *KustomizeDecryptor) ImportKeys(ctx context.Context) error {
 // for the input format, gathers the data key for it from the key service,
 // and then decrypts the file data with the retrieved data key.
 // It returns the decrypted bytes in the provided output format, or an error.
-func (d *KustomizeDecryptor) SopsDecryptWithFormat(data []byte, inputFormat, outputFormat formats.Format) ([]byte, error) {
+func (d *KustomizeDecryptor) SopsDecryptWithFormat(data []byte, inputFormat, outputFormat formats.Format) (_ []byte, err error) {
+	defer func() {
+		// It was discovered that malicious input and/or output instructions can
+		// make SOPS panic. Recover from this panic and return as an error.
+		if r := recover(); r != nil {
+			err = fmt.Errorf("failed to emit encrypted %s file as decrypted %s: %v",
+				sopsFormatToString[inputFormat], sopsFormatToString[outputFormat], r)
+		}
+	}()
+
 	store := common.StoreForFormat(inputFormat)
 
 	tree, err := store.LoadEncryptedFile(data)