Panic When ';', '-' or '=' character is in accountName parameter when using SharedKeyCredential

[mikaeldnetapp]

Which version of the SDK was used?

github.com/Azure/azure-storage-blob-go v0.14.0

Which platform are you using? (ex: Windows, Linux, Debian)

Linux

What problem was encountered?

SDK Panics

How can we reproduce the problem in the simplest way?

import (
	"context"
	"url"
	"github.com/Azure/azure-pipeline-go/pipeline"
	"github.com/Azure/azure-storage-blob-go/azblob"
)



credential, err := azblob.NewSharedKeyCredential(account + ";", key)
if err != nil {
   return nil, err
}

u, err := url.Parse(fmt.Sprintf("https://%s.blob.core.windows.net", account))
if err != nil {
  return nil, err
}

p := azblob.NewPipeline(credential, azblob.PipelineOptions{})

serviceURL := azblob.NewServiceURL(*u, p)
containerURL := serviceURL.NewContainerURL(azureBlobContainerName)

ctx, cancel := context.WithTimeout(context.Background(), initTimeout)
defer cancel()

_, err = containerURL.GetProperties(ctx, azblob.LeaseAccessConditions{}

this results in

goroutine 1 [running]:
github.com/Azure/azure-storage-blob-go/azblob.NewRequestLogPolicyFactory.func1.1(0x18534e0, 0xc0001a5860, 0xc00017a500, 0x10, 0x16a1800, 0x1, 0xc0000edb80)
	/Users/mikaeld/go/pkg/mod/github.com/!azure/[email protected]/azblob/zc_policy_request_log.go:106 +0x514
github.com/Azure/azure-pipeline-go/pipeline.PolicyFunc.Do(0xc0000bacd0, 0x18534e0, 0xc0001a5860, 0xc00017a500, 0xc0000edc68, 0xc00008eb40, 0x54, 0xc0000a1080)
	/Users/mikaeld/go/pkg/mod/github.com/!azure/[email protected]/pipeline/core.go:43 +0x44
github.com/Azure/azure-storage-blob-go/azblob.(*SharedKeyCredential).New.func1(0x18534e0, 0xc0001a5860, 0xc00017a500, 0x1c113a0, 0x18534e0, 0xc0001a5860, 0xc0001b6000)
	/Users/mikaeld/go/pkg/mod/github.com/!azure/[email protected]/azblob/zc_credential_shared_key.go:66 +0x2f4
github.com/Azure/azure-pipeline-go/pipeline.PolicyFunc.Do(0xc000178b10, 0x18534e0, 0xc0001a5860, 0xc00017a500, 0xc0001a5860, 0xc0001b6000, 0x37e0f509e, 0x0)
	/Users/mikaeld/go/pkg/mod/github.com/!azure/[email protected]/pipeline/core.go:43 +0x44
github.com/Azure/azure-storage-blob-go/azblob.NewRetryPolicyFactory.func1.1(0x18534e0, 0xc0001a5800, 0xc00017a400, 0x10, 0x16a1800, 0x64492d747301, 0xc0000eda20)
	/Users/mikaeld/go/pkg/mod/github.com/!azure/[email protected]/azblob/zc_policy_retry.go:204 +0x69d
github.com/Azure/azure-pipeline-go/pipeline.PolicyFunc.Do(0xc0000bad20, 0x18534e0, 0xc0001a5800, 0xc00017a400, 0xc0000edad8, 0x203000, 0x203000, 0xc000245398)
	/Users/mikaeld/go/pkg/mod/github.com/!azure/[email protected]/pipeline/core.go:43 +0x44
github.com/Azure/azure-storage-blob-go/azblob.NewUniqueRequestIDPolicyFactory.func1.1(0x18534e0, 0xc0001a5800, 0xc00017a400, 0x10, 0x16a1800, 0x100f801, 0xc0000eda20)
	/Users/mikaeld/go/pkg/mod/github.com/!azure/[email protected]/azblob/zc_policy_unique_request_id.go:22 +0xd4
github.com/Azure/azure-pipeline-go/pipeline.PolicyFunc.Do(0xc0000aea98, 0x18534e0, 0xc0001a5800, 0xc00017a400, 0xc0000edac0, 0x23, 0xc0000a0f90, 0xc000245450)
	/Users/mikaeld/go/pkg/mod/github.com/!azure/[email protected]/pipeline/core.go:43 +0x44
github.com/Azure/azure-storage-blob-go/azblob.NewTelemetryPolicyFactory.func1.1(0x18534e0, 0xc0001a5800, 0xc00017a400, 0x1, 0x0, 0x1, 0xc0000b42a0)
	/Users/mikaeld/go/pkg/mod/github.com/!azure/[email protected]/azblob/zc_policy_telemetry.go:34 +0x162
github.com/Azure/azure-pipeline-go/pipeline.PolicyFunc.Do(0xc000178b40, 0x18534e0, 0xc0001a5800, 0xc00017a400, 0xc000178b40, 0x0, 0xc000245520, 0x100f8f8)
	/Users/mikaeld/go/pkg/mod/github.com/!azure/[email protected]/pipeline/core.go:43 +0x44
github.com/Azure/azure-pipeline-go/pipeline.(*pipeline).Do(0xc0000b9740, 0x18534e0, 0xc0001a5800, 0x18482a0, 0xc0000e0840, 0xc00017a400, 0x33, 0xc0000a0fc0, 0x29, 0x0)
	/Users/mikaeld/go/pkg/mod/github.com/!azure/[email protected]/pipeline/core.go:129 +0x82
github.com/Azure/azure-storage-blob-go/azblob.containerClient.GetProperties(0xc0000b29c0, 0x5, 0x0, 0x0, 0x0, 0xc0000b29c8, 0x33, 0xc0000a0fc0, 0x29, 0x0, ...)
	/Users/mikaeld/go/pkg/mod/github.com/!azure/[email protected]/azblob/zz_generated_container.go:526 +0x345
github.com/Azure/azure-storage-blob-go/azblob.ContainerURL.GetProperties(0xc0000b29c0, 0x5, 0x0, 0x0, 0x0, 0xc0000b29c8, 0x33, 0xc0000a0fc0, 0x29, 0x0, ...)
	/Users/mikaeld/go/pkg/mod/github.com/!azure/[email protected]/azblob/url_container.go:109 +0xcc
cloud-volumes-telemetry-exporter/app/sink/abs.NewSink(0xc00002a00c, 0x13, 0x1855548, 0xc00000ea08, 0xc00000ea38, 0x0, 0x0, 0x0, 0x0)
	/Users/mikaeld/netapp/cloud-volumes-telemetry/exporter/app/sink/abs/upload.go:110 +0x4d8

Have you found a mitigation/solution?

Sanitizing input would work but the SDK shouldn't panic

[siminsavani-msft]

Hi @mikaeldnetapp ! I have tried to repro this issue and I get an error from the service. I believe this occurs because you need to create the container. Try using this Create API:

azure-storage-blob-go/azblob/url_container.go

Line 86 in b9bed59

func (c ContainerURL) Create(ctx context.Context, metadata Metadata, publicAccessType PublicAccessType) (*ContainerCreateResponse, error) {

Let me know if this works!

[mikaeldnetapp]

hi @siminsavani-msft my example was incomplete. It seems that adding HTTPSender is causing this panic on bad input.

package main

import (
	"context"
	"fmt"
	"net"
	"net/http"
	"net/url"
	"os"
	"time"

	"github.com/Azure/azure-pipeline-go/pipeline"
	"github.com/Azure/azure-storage-blob-go/azblob"
)

func main() {
	account := "accountName"+";"
	key := "REDACTED"
	credential, err := azblob.NewSharedKeyCredential(account, key)
	if err != nil {
		fmt.Println(err.Error())
		os.Exit(1)
	}

	u, err := url.Parse(fmt.Sprintf("https://%s.blob.core.windows.net", account))
	if err != nil {
		fmt.Println(err.Error())
		os.Exit(1)
	}

	p := azblob.NewPipeline(credential, azblob.PipelineOptions{
		HTTPSender: pipeline.FactoryFunc(func(next pipeline.Policy, po *pipeline.PolicyOptions) pipeline.PolicyFunc {
			return func(ctx context.Context, request pipeline.Request) (pipeline.Response, error) {
				client := http.Client{
					Transport: &http.Transport{
						Proxy: nil,
						DialContext: (&net.Dialer{
							Timeout:   30 * time.Second,
							KeepAlive: 30 * time.Second,
						}).DialContext,
						IdleConnTimeout:       180 * time.Second,
						TLSHandshakeTimeout:   10 * time.Second,
						ExpectContinueTimeout: 1 * time.Second,
					},
				}

				resp, err := client.Do(request.WithContext(ctx))
				if err != nil {
					return nil, err
				}

				return pipeline.NewHTTPResponse(resp), nil
			}
		})})

	serviceURL := azblob.NewServiceURL(*u, p)
	containerURL := serviceURL.NewContainerURL(`container-name`)

	ctx, cancel := context.WithTimeout(context.Background(), time.Second * 5)
	defer cancel()

	_, err = containerURL.GetProperties(ctx, azblob.LeaseAccessConditions{})
	if err != nil {
		fmt.Println(err.Error())
	} else {
		fmt.Println("ok even if it doesn't exist")
	}
}

We have also noticed the SDK panics when code is containerized with the docker 'scratch' image that does not contain any TLS root certs.

go mod file:

module abs_panic

go 1.16

require (
	github.com/Azure/azure-pipeline-go v0.2.3
	github.com/Azure/azure-storage-blob-go v0.14.0
)

// This also happens using the master branch
replace (
	github.com/Azure/azure-storage-blob-go => /Users/mikaeld/netapp/azure-storage-blob-go/
)