Fail Credentials validation if it contains extra data #276

dblanchette · 2024-03-07T22:12:28Z

This is especially useful for "target_tags" for which a malformed value could lead to a credentials leak

jonapich · 2024-03-11T10:50:50Z

credentials/credentials.go

 		return nil, fmt.Errorf("entry %s: invalid credentials data: %v", id, err)
 	}
-	var validationErrors error
+	credentialsMap["type"] = credentialsType


Ça c'est vraiment l'incarnation golang de :sifflercommeunépais: et :ctutoéquipisse-ouainmaisçaapasderapport:

Ouais je n'avais pas trop le choix de faire une passe de même ou de réécrire une grosse partie du code ou de faire un genre de deepcopy maison 🤷🏻

mikebaum

I approved, because technically there's nothing wrong with the code. Just made a couple of minor suggestions.

mikebaum · 2024-03-11T12:52:38Z

credentials/credentials.go

 	if err != nil {
+		validationErrors = multierror.Append(validationErrors, fmt.Errorf("entry %s: unable to create a decoder: %v", id, err))


As of go 1.20, they added this to the std lib. You can simply use this. If this project is not at version 1.20, then this is fine unless you want to update the version of go.

The project is using Go 1.21, so that should be ok.

But, I tried using the package and I don't like the interface, so I don't think it's worth it.

Okay, thought the interface was kinda the same. In any case multierror is fine.

mikebaum · 2024-03-11T12:56:15Z

credentials/credentials.go

 	if err != nil {
+		validationErrors = multierror.Append(validationErrors, fmt.Errorf("entry %s: unable to create a decoder: %v", id, err))
+	}
+	if err := decoder.Decode(credentialsMap); err != nil {
 		return nil, fmt.Errorf("entry %s: invalid credentials data: %v", id, err)


No part of the code you changed, but the error created here should be rather:

fmt.Errorf("entry %s: invalid credentials data: %w", id, err)

%w is used for wrapping an error and should be used instead of %v when the value is an error.

mikebaum · 2024-03-11T12:58:23Z

credentials/credentials_aws_test.go

+	}
+
+	cred, err := ParseSingleCredentials(credMap)
+	assert.Nil(t, err)


This should be:
assert.NoError(t, err)

Oh that explains it! assert.Nil(t, err) is used elsewhere in the code and it did not fail when it should have

Fail Credentials validation if it contains extra data

54c55fd

dblanchette requested a review from a team as a code owner March 7, 2024 22:12

jonapich approved these changes Mar 11, 2024

View reviewed changes

mikebaum approved these changes Mar 11, 2024

View reviewed changes

dblanchette added 2 commits March 11, 2024 10:05

Fix error formatting

3c6f852

Fix asserts

861c50d

dblanchette merged commit f1bb1ee into main Mar 11, 2024
3 checks passed

dblanchette deleted the fix/DT-6821-extra-data-crash branch March 11, 2024 14:11

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fail Credentials validation if it contains extra data #276

Fail Credentials validation if it contains extra data #276

dblanchette commented Mar 7, 2024

jonapich Mar 11, 2024

dblanchette Mar 11, 2024

mikebaum left a comment

mikebaum Mar 11, 2024

dblanchette Mar 11, 2024

mikebaum Mar 11, 2024

mikebaum Mar 11, 2024

mikebaum Mar 11, 2024

dblanchette Mar 11, 2024

		if err != nil {
		validationErrors = multierror.Append(validationErrors, fmt.Errorf("entry %s: unable to create a decoder: %v", id, err))

Fail Credentials validation if it contains extra data #276

Fail Credentials validation if it contains extra data #276

Conversation

dblanchette commented Mar 7, 2024

Choose a reason for hiding this comment

Choose a reason for hiding this comment

mikebaum left a comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment