fix(inspect): close CRL response body on io.ReadAll error path#463
Conversation
`checkCRLValidCert` in `pkg/inspect/secret/util.go` closed `resp.Body` only on the success path. If `io.ReadAll` returned a non-nil error (truncated response, transport reset, etc.) the function returned early with the body still open, leaking the underlying TCP connection. `bodyclose` doesn't flag this because it considers the body handled as long as `Close` appears anywhere in the function, even if it's unreachable on error paths. Switch to a `defer resp.Body.Close()` immediately after the successful `http.Do()` and drop the explicit post-read call -- now the body is always closed regardless of which return site fires. Closes cert-manager#442. Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com>
cert-manager-prow
Bot
added
dco-signoff: yes
|
Hi @SAY-5. Thanks for your PR. I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
cert-manager-prow
Bot
added
the
size/XS
|
/ok-to-test |
cert-manager-prow
Bot
added
ok-to-test
and removed
needs-ok-to-test
There was a problem hiding this comment.
Pull request overview
Fixes an HTTP response body leak in checkCRLValidCert so the CRL fetch connection is closed even when io.ReadAll fails (addressing #442).
Changes:
- Add
defer resp.Body.Close()immediately after a successfulhttp.DefaultClient.Do(req). - Remove the explicit
resp.Body.Close()call that only ran on the success path.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: erikgb The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
cert-manager-prow
Bot
added
the
approved
Closes #442.
Bug
`checkCRLValidCert` in `pkg/inspect/secret/util.go` closed `resp.Body` only on the success path:
```go
resp, err := http.DefaultClient.Do(req)
if err != nil {
return false, fmt.Errorf("error getting HTTP response: %w", err)
}
body, err := io.ReadAll(resp.Body)
if err != nil {
return false, fmt.Errorf("error reading HTTP body: %w", err) // ← body leaked
}
resp.Body.Close()
```
Any time `io.ReadAll` returned a non-nil error (truncated response, transport reset, peer TLS close, etc.) the function returned early and the underlying TCP connection was leaked. `bodyclose` doesn't catch this class of bug because the analyzer treats the body as handled as long as `Close` appears anywhere in the function, without verifying reachability from every error-return — same gap as the upstream `httpresponse` analyzer (golang/go#75902).
Fix
One-line edit: add `defer resp.Body.Close()` immediately after the successful `http.Do()` and drop the explicit post-read call. The body is now closed from every return site.
Testing
Signed-off-by: SAY-5 SAY-5@users.noreply.github.com