From 20bb002184629aa74d9d0f19708e79297f93ffdb Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Tue, 5 Mar 2024 17:11:45 -0500 Subject: [PATCH 1/2] Ensure that invalid versions do not cause a nil panic --- pkg/releases/cli.go | 15 +++++++++++++++ pkg/releases/versions.go | 2 ++ pkg/releases/versions_test.go | 29 ++++++++++++++++------------- 3 files changed, 33 insertions(+), 13 deletions(-) diff --git a/pkg/releases/cli.go b/pkg/releases/cli.go index 32e93f705a..df551716ea 100644 --- a/pkg/releases/cli.go +++ b/pkg/releases/cli.go @@ -40,14 +40,29 @@ func CheckAndLogRunE() cobrautil.CobraRunFunc { return nil case UpdateAvailable: + if release == nil { + log.Ctx(ctx).Warn().Msg("unable to check for or load the new SpiceDB version") + return nil + } + log.Ctx(ctx).Warn().Str("this-version", currentVersion).Str("latest-released-version", release.Version).Msgf("this version of SpiceDB is out of date. See: %s", release.ViewURL) return nil case UpToDate: + if release == nil { + log.Ctx(ctx).Warn().Msg("unable to check for or load the new SpiceDB version") + return nil + } + log.Ctx(ctx).Info().Str("latest-released-version", release.Version).Msg("this is the latest released version of SpiceDB") return nil case Unknown: + if release == nil { + log.Ctx(ctx).Warn().Msg("unable to check for or load the new SpiceDB version") + return nil + } + log.Ctx(ctx).Warn().Str("unknown-released-version", release.Version).Msg("unable to check for a new SpiceDB version") return nil diff --git a/pkg/releases/versions.go b/pkg/releases/versions.go index dc84f1a095..b29b79b0b1 100644 --- a/pkg/releases/versions.go +++ b/pkg/releases/versions.go @@ -7,6 +7,7 @@ import ( "runtime/debug" "github.com/jzelinskie/cobrautil/v2" + "github.com/rs/zerolog/log" "golang.org/x/mod/semver" ) @@ -59,6 +60,7 @@ func CheckIsLatestVersion( } if !semver.IsValid(release.Version) { + log.Warn().Str("version", release.Version).Msg("invalid version") return Unknown, currentVersion, nil, err } diff --git a/pkg/releases/versions_test.go b/pkg/releases/versions_test.go index 248d458f8a..d644e8ab0d 100644 --- a/pkg/releases/versions_test.go +++ b/pkg/releases/versions_test.go @@ -8,28 +8,30 @@ import ( ) type testCase struct { - name string - version string - releaseVersion string - expectedState SoftwareUpdateState + name string + version string + releaseVersion string + expectedState SoftwareUpdateState + expectReleaseNil bool } func TestCheckIsLatestVersion(t *testing.T) { testCases := []testCase{ - {"up to date", "v1.5.6", "v1.5.6", UpToDate}, - {"ahead of version", "v1.7.0", "v1.5.6", UpToDate}, - {"new version", "v1.5.6", "v1.5.7", UpdateAvailable}, - {"new minor version", "v1.5.6", "v1.6.0", UpdateAvailable}, - {"new major version", "v1.5.6", "v2.0.0", UpdateAvailable}, - {"invalid version", "abcdef", "v1.6.0", UnreleasedVersion}, - {"empty version", "", "v1.6.0", UnreleasedVersion}, - {"invalid release version", "v1.5.6", "abderf", Unknown}, + {"up to date", "v1.5.6", "v1.5.6", UpToDate, false}, + {"ahead of version", "v1.7.0", "v1.5.6", UpToDate, false}, + {"new version", "v1.5.6", "v1.5.7", UpdateAvailable, false}, + {"new minor version", "v1.5.6", "v1.6.0", UpdateAvailable, false}, + {"new major version", "v1.5.6", "v2.0.0", UpdateAvailable, false}, + {"invalid version", "abcdef", "v1.6.0", UnreleasedVersion, true}, + {"empty version", "", "v1.6.0", UnreleasedVersion, true}, + {"invalid release version", "v1.5.6", "abderf", Unknown, true}, + {"invalid release version string", "v1.5.6", "1.7.8", Unknown, true}, } for _, tc := range testCases { tc := tc t.Run(tc.name, func(t *testing.T) { - state, _, _, _ := CheckIsLatestVersion(context.Background(), func() (string, error) { + state, _, release, _ := CheckIsLatestVersion(context.Background(), func() (string, error) { return tc.version, nil }, func(ctx context.Context) (*Release, error) { return &Release{ @@ -37,6 +39,7 @@ func TestCheckIsLatestVersion(t *testing.T) { }, nil }) require.Equal(t, tc.expectedState, state) + require.Equal(t, tc.expectReleaseNil, release == nil) }) } } From 736acc141abb0dcd8240f3096b87ed7b9cdaac3f Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Tue, 5 Mar 2024 17:15:27 -0500 Subject: [PATCH 2/2] Update protobuf version for reported CVE in protobuf lib --- e2e/go.mod | 2 +- e2e/go.sum | 4 ++-- go.mod | 2 +- go.sum | 2 ++ 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/e2e/go.mod b/e2e/go.mod index 99205dae2f..f98a1bfb4c 100644 --- a/e2e/go.mod +++ b/e2e/go.mod @@ -59,7 +59,7 @@ require ( google.golang.org/genproto v0.0.0-20240125205218-1f4bbc51befe // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240205150955-31a09d347014 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240205150955-31a09d347014 // indirect - google.golang.org/protobuf v1.32.0 // indirect + google.golang.org/protobuf v1.33.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/e2e/go.sum b/e2e/go.sum index 6a63f20e3a..9954077998 100644 --- a/e2e/go.sum +++ b/e2e/go.sum @@ -346,8 +346,8 @@ google.golang.org/grpc v1.61.0 h1:TOvOcuXn30kRao+gfcvsebNEa5iZIiLkisYEkf7R7o0= google.golang.org/grpc v1.61.0/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I= -google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= diff --git a/go.mod b/go.mod index 2951150368..aa3f102708 100644 --- a/go.mod +++ b/go.mod @@ -89,7 +89,7 @@ require ( google.golang.org/genproto/googleapis/api v0.0.0-20240205150955-31a09d347014 google.golang.org/genproto/googleapis/rpc v0.0.0-20240205150955-31a09d347014 google.golang.org/grpc v1.61.0 - google.golang.org/protobuf v1.32.0 + google.golang.org/protobuf v1.33.0 gopkg.in/yaml.v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 resenje.org/singleflight v0.4.1 diff --git a/go.sum b/go.sum index d7c4574fc8..a14fd7a82c 100644 --- a/go.sum +++ b/go.sum @@ -1376,6 +1376,8 @@ google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqw google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I= google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=