Fix: Faulty Remote Resource Accepted by Remote Resolution

This PR fixes the issue where a bad remote resource is accepted by remote resolution.
tektoncd · May 17, 2024 · 4573753 · 4573753
1 parent 3dab35e
commit 4573753
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 1 deletion.
diff --git a/pkg/remote/resolution/resolver.go b/pkg/remote/resolution/resolver.go
@@ -24,6 +24,7 @@ import (
 	resolutioncommon "github.com/tektoncd/pipeline/pkg/resolution/common"
 	remoteresource "github.com/tektoncd/pipeline/pkg/resolution/resource"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
 	"knative.dev/pkg/kmeta"
 )
 
@@ -97,7 +98,8 @@ func ResolvedRequest(resolved resolutioncommon.ResolvedResource, err error) (run
 	if err != nil {
 		return nil, nil, &DataAccessError{Original: err}
 	}
-	obj, _, err := scheme.Codecs.UniversalDeserializer().Decode(data, nil, nil)
+	codecs := serializer.NewCodecFactory(scheme.Scheme, serializer.EnableStrict)
+	obj, _, err := codecs.UniversalDeserializer().Decode(data, nil, nil)
 	if err != nil {
 		return nil, nil, &InvalidRuntimeObjectError{Original: err}
 	}

diff --git a/pkg/remote/resolution/resolver_test.go b/pkg/remote/resolution/resolver_test.go
@@ -75,6 +75,50 @@ func TestGet_Successful(t *testing.T) {
 	}
 }
 
+var invalidPipelineBytes = []byte(`
+kind: Pipeline
+apiVersion: tekton.dev/v1
+metadata:
+  name: foo
+spec:
+  tasks:
+  - name: task1
+    taskSpec:
+      foo: bar
+      steps:
+      - name: step1
+        image: ubuntu
+        script: |
+          echo "hello world!"
+        foo: bar
+`)
+
+var invalidTaskBytes = []byte(`
+kind: Task
+apiVersion: tekton.dev/v1
+metadata:
+  name: foo
+spec:
+  foo: bar
+  steps:
+    - name: step1
+      image: ubuntu
+      script: |
+        echo "hello world!"
+`)
+
+var invalidStepActionBytes = []byte(`
+kind: StepAction
+apiVersion: tekton.dev/v1beta1
+metadata:
+  name: foo
+spec:
+  image: ubuntu
+  script: |
+    echo "hello world!"
+  foo: bar
+`)
+
 func TestGet_Errors(t *testing.T) {
 	genericError := errors.New("uh oh something bad happened")
 	notARuntimeObject := &resolution.ResolvedResource{
@@ -85,6 +129,21 @@ func TestGet_Errors(t *testing.T) {
 		DataErr:             errors.New("data access error"),
 		ResolvedAnnotations: nil,
 	}
+	invalidPipeline := &resolution.ResolvedResource{
+		ResolvedData:        invalidPipelineBytes,
+		DataErr:             errors.New(`spec.tasks[0].taskSpec.foo", unknown field "spec.tasks[0].taskSpec.steps[0].foo`),
+		ResolvedAnnotations: nil,
+	}
+	invalidTask := &resolution.ResolvedResource{
+		ResolvedData:        invalidTaskBytes,
+		DataErr:             errors.New(`spec.foo", unknown field "spec.steps[0].foo`),
+		ResolvedAnnotations: nil,
+	}
+	invalidStepAction := &resolution.ResolvedResource{
+		ResolvedData:        invalidStepActionBytes,
+		DataErr:             errors.New(`unknown field "spec.foo`),
+		ResolvedAnnotations: nil,
+	}
 	for _, tc := range []struct {
 		submitErr        error
 		expectedGetErr   error
@@ -109,6 +168,18 @@ func TestGet_Errors(t *testing.T) {
 		submitErr:        nil,
 		expectedGetErr:   &DataAccessError{},
 		resolvedResource: invalidDataResource,
+	}, {
+		submitErr:        nil,
+		expectedGetErr:   &DataAccessError{},
+		resolvedResource: invalidPipeline,
+	}, {
+		submitErr:        nil,
+		expectedGetErr:   &DataAccessError{},
+		resolvedResource: invalidTask,
+	}, {
+		submitErr:        nil,
+		expectedGetErr:   &DataAccessError{},
+		resolvedResource: invalidStepAction,
 	}} {
 		ctx := context.Background()
 		owner := &v1beta1.PipelineRun{