Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address signingCert panic with the last-byte calculation of finalChainPEM #370

Merged
merged 2 commits into from
Feb 2, 2022
Merged

Address signingCert panic with the last-byte calculation of finalChainPEM #370

merged 2 commits into from
Feb 2, 2022

Conversation

tstromberg
Copy link
Contributor

@tstromberg tstromberg commented Feb 1, 2022
edited
Loading

Signed-off-by: Thomas Stromberg t+github@stromberg.org

Summary

Addresses a panic caused by the incorrect string being referred for a newline check.

This panic only occurs if finalPEM is shorter than finalChainPEM.

Ticket Link

Fixes #369

Release Note

NONE

@tstromberg
Fix last-byte calculation of finalChainPEM
07efc8c 
Signed-off-by: Thomas Stromberg <t+github@stromberg.org>
nsmith5
nsmith5 reviewed Feb 1, 2022
View reviewed changes
pkg/api/ca.go Outdated
@@ -213,7 +213,7 @@ func (a *api) signingCert(w http.ResponseWriter, req *http.Request) {
}
if len(finalChainPEM) > 0 {
fmt.Fprintf(&ret, "%s", finalChainPEM)
if finalPEM[len(finalChainPEM)-1] != '\n' {
if finalChainPEM[len(finalChainPEM)-1] != '\n' {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: Perhaps this might be more clear if we'd written as

Suggested change
if finalChainPEM[len(finalChainPEM)-1] != '\n' {
if !strings.HasSuffix(string(finalChainPEM), "\n") {

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great idea. Done!

@tstromberg
Use bytes.HasSuffix as recommended in code review
e358afd 
Signed-off-by: Thomas Stromberg <t+github@chainguard.dev>
haydentherapper
haydentherapper approved these changes Feb 2, 2022
View reviewed changes
Copy link
Contributor

@haydentherapper haydentherapper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great catch! I had added this check. This suggests to me we need some additional tests.

@haydentherapper
Copy link
Contributor

@bobcallaway @dlorenc - Not sure when the last Fulcio release was, but if it's been pushed after 10262db, we'll want to get this change in and pushed.

@dlorenc
Copy link
Member

dlorenc commented Feb 2, 2022

@bobcallaway @dlorenc - Not sure when the last Fulcio release was, but if it's been pushed after 10262db, we'll want to get this change in and pushed.

Ack, deploying after this one!

@dlorenc dlorenc merged commit 60b3db4 into sigstore:main Feb 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nsmith5 nsmith5 nsmith5 approved these changes

@haydentherapper haydentherapper haydentherapper approved these changes

@dlorenc dlorenc dlorenc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

panic at pkg/api/ca.go:signingCert(): runtime error: index out of range [830] with length 826
4 participants
@tstromberg @haydentherapper @dlorenc @nsmith5