New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add safeio Package and Replace all io.ReadAll Invocations #22602
Conversation
nathanjsweet
commented
Dec 7, 2022
•
edited
edited
- Add safeio Package to Replace ReadAll
- Update customvet
- Replace all io.ReadAll Invocations
- Update CODEOWNERS file
a965bc1
to
299c51a
Compare
299c51a
to
6fdbed6
Compare
ec75d7d
to
97b96c9
Compare
8f9962c
to
cdb30c0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, nice work! 🚀
I don't have much context on the limits we set, but they seem reasonable :)
cdb30c0
to
74e8e29
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Azure changes LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! The customvet
linter should highlight new invocations of ReadAll
, right? But I don't see it being called from a GH action that's run as part of the CI suite.
74e8e29
to
c73312a
Compare
/test Job 'Cilium-PR-K8s-1.26-kernel-net-next' failed: Click to show.Test Name
Failure Output
If it is a flake and a GitHub issue doesn't already exist to track it, comment |
io.ReadAll is a dangerous method in a production system as it can easily create a DoS vulnerability. The safeio package creates a ReadAllLimit method that attempts to read the entireity of an io.Reader up to a limit. Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
customvet now supports linting away io.ReadAll invocations. Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
io.ReadAll is a potentially dangerous method invocation in a production system. All instances of this method are replaced with safeio.ReadAllLimit. Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
c73312a
to
d9bb96b
Compare
/test |
All checks have passed. If another rebase has to happen because of another |