djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

cmd/local-user-authenticator: protect against nil-body

Browse Source 
I saw this while reading other TokenReview code.
This commit is contained in:
Andrew Keesler 2020-09-11 12:44:45 -04:00
parent 4e40c0320e
commit 17d40b7a73
No known key found for this signature in database
GPG Key ID: 27CE0444346F9413
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
cmd/local-user-authenticator/main.go
View File

@ -109,12 +109,11 @@ func (w *webhook) start(ctx context.Context, l net.Listener) error {
} }
func (w *webhook) ServeHTTP(rsp http.ResponseWriter, req *http.Request) { func (w *webhook) ServeHTTP(rsp http.ResponseWriter, req *http.Request) {
defer req.Body.Close()
username, password, err := getUsernameAndPasswordFromRequest(rsp, req) username, password, err := getUsernameAndPasswordFromRequest(rsp, req)
if err != nil { if err != nil {
return return
} }
defer req.Body.Close()
secret, err := w.secretInformer.Lister().Secrets(namespace).Get(username) secret, err := w.secretInformer.Lister().Secrets(namespace).Get(username)
notFound := k8serrors.IsNotFound(err) notFound := k8serrors.IsNotFound(err)
@ -184,6 +183,12 @@ func getUsernameAndPasswordFromRequest(rsp http.ResponseWriter, req *http.Reques
return "", "", invalidRequest return "", "", invalidRequest
} }
if req.Body == nil {
klog.InfoS("invalid nil body")
rsp.WriteHeader(http.StatusBadRequest)
return "", "", invalidRequest
}
var body authenticationv1beta1.TokenReview var body authenticationv1beta1.TokenReview
if err := json.NewDecoder(req.Body).Decode(&body); err != nil { if err := json.NewDecoder(req.Body).Decode(&body); err != nil {
klog.InfoS("failed to decode body", "err", err) klog.InfoS("failed to decode body", "err", err)