From bbb5f550adca0c7f3dd5a926ecddc91b73daf983 Mon Sep 17 00:00:00 2001
From: Bryan Huhta <32787160+bryanhuhta@users.noreply.github.com>
Date: Thu, 29 Feb 2024 17:30:33 -0700
Subject: [PATCH] fix: Panics when passing a malformed GitSession (#3058)

---
 pkg/querier/vcs/client/encryption.go      |  8 ++++++++
 pkg/querier/vcs/client/encryption_test.go | 10 ++++++++++
 2 files changed, 18 insertions(+)

diff --git a/pkg/querier/vcs/client/encryption.go b/pkg/querier/vcs/client/encryption.go
index 6e1b9eae12..a3f9696363 100644
--- a/pkg/querier/vcs/client/encryption.go
+++ b/pkg/querier/vcs/client/encryption.go
@@ -3,6 +3,7 @@ package client
 import (
 	"encoding/base64"
 	"encoding/json"
+	"errors"
 
 	encryption "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/encryption"
 	"golang.org/x/oauth2"
@@ -24,11 +25,18 @@ func encryptToken(token *oauth2.Token, key []byte) (string, error) {
 	return base64.StdEncoding.EncodeToString(enc), nil
 }
 
+const gcmNonceSize = 12
+
 func decryptToken(encodedText string, key []byte) (*oauth2.Token, error) {
 	encryptedData, err := base64.StdEncoding.DecodeString(encodedText)
 	if err != nil {
 		return nil, err
 	}
+
+	if len(encryptedData) < gcmNonceSize {
+		return nil, errors.New("malformed token")
+	}
+
 	cipher, err := encryption.NewGCMCipher(key)
 	if err != nil {
 		return nil, err
diff --git a/pkg/querier/vcs/client/encryption_test.go b/pkg/querier/vcs/client/encryption_test.go
index 40e46d8131..901989e532 100644
--- a/pkg/querier/vcs/client/encryption_test.go
+++ b/pkg/querier/vcs/client/encryption_test.go
@@ -23,3 +23,13 @@ func TestEncodeOAuth(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, token, actual)
 }
+
+func Test_decryptToken(t *testing.T) {
+	t.Run("malformed token shorter than nonce size", func(t *testing.T) {
+		encoded := "xxxx"
+		key := []byte("0123456789abcdef")
+
+		_, err := decryptToken(encoded, key)
+		require.EqualError(t, err, "malformed token")
+	})
+}