Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ensure that invalid versions do not cause a nil panic #1781

Merged
merged 2 commits into from
Mar 5, 2024
Merged

Ensure that invalid versions do not cause a nil panic #1781

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
20bb002
Ensure that invalid versions do not cause a nil panic
josephschorr Mar 5, 2024
736acc1
Update protobuf version for reported CVE in protobuf lib
josephschorr Mar 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion e2e/go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ require (
google.golang.org/genproto v0.0.0-20240125205218-1f4bbc51befe // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240205150955-31a09d347014 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240205150955-31a09d347014 // indirect
google.golang.org/protobuf v1.32.0 // indirect
google.golang.org/protobuf v1.33.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)

Expand Down
4 changes: 2 additions & 2 deletions e2e/go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -346,8 +346,8 @@ google.golang.org/grpc v1.61.0 h1:TOvOcuXn30kRao+gfcvsebNEa5iZIiLkisYEkf7R7o0=
google.golang.org/grpc v1.61.0/go.mod h1:VUbo7IFqmF1QtCAstipjG0GIoq49KvMe9+h1jFLBNJs=
google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I=
google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
Expand Down
2 changes: 1 addition & 1 deletion go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ require (
google.golang.org/genproto/googleapis/api v0.0.0-20240205150955-31a09d347014
google.golang.org/genproto/googleapis/rpc v0.0.0-20240205150955-31a09d347014
google.golang.org/grpc v1.61.0
google.golang.org/protobuf v1.32.0
google.golang.org/protobuf v1.33.0
gopkg.in/yaml.v2 v2.4.0
gopkg.in/yaml.v3 v3.0.1
resenje.org/singleflight v0.4.1
Expand Down
2 changes: 2 additions & 0 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1376,6 +1376,8 @@ google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqw
google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
google.golang.org/protobuf v1.32.0 h1:pPC6BG5ex8PDFnkbrGU3EixyhKcQ2aDuBS36lqK/C7I=
google.golang.org/protobuf v1.32.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
Expand Down
15 changes: 15 additions & 0 deletions pkg/releases/cli.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,14 +40,29 @@ func CheckAndLogRunE() cobrautil.CobraRunFunc {
return nil

case UpdateAvailable:
if release == nil {
log.Ctx(ctx).Warn().Msg("unable to check for or load the new SpiceDB version")
return nil
}

log.Ctx(ctx).Warn().Str("this-version", currentVersion).Str("latest-released-version", release.Version).Msgf("this version of SpiceDB is out of date. See: %s", release.ViewURL)
return nil

case UpToDate:
if release == nil {
log.Ctx(ctx).Warn().Msg("unable to check for or load the new SpiceDB version")
return nil
}

log.Ctx(ctx).Info().Str("latest-released-version", release.Version).Msg("this is the latest released version of SpiceDB")
return nil

case Unknown:
if release == nil {
log.Ctx(ctx).Warn().Msg("unable to check for or load the new SpiceDB version")
return nil
}

log.Ctx(ctx).Warn().Str("unknown-released-version", release.Version).Msg("unable to check for a new SpiceDB version")
return nil

Expand Down
2 changes: 2 additions & 0 deletions pkg/releases/versions.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
"runtime/debug"

"github.com/jzelinskie/cobrautil/v2"
"github.com/rs/zerolog/log"
"golang.org/x/mod/semver"
)

Expand Down Expand Up @@ -59,6 +60,7 @@ func CheckIsLatestVersion(
}

if !semver.IsValid(release.Version) {
log.Warn().Str("version", release.Version).Msg("invalid version")
return Unknown, currentVersion, nil, err
}

Expand Down
29 changes: 16 additions & 13 deletions pkg/releases/versions_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,35 +8,38 @@ import (
)

type testCase struct {
name string
version string
releaseVersion string
expectedState SoftwareUpdateState
name string
version string
releaseVersion string
expectedState SoftwareUpdateState
expectReleaseNil bool
}

func TestCheckIsLatestVersion(t *testing.T) {
testCases := []testCase{
{"up to date", "v1.5.6", "v1.5.6", UpToDate},
{"ahead of version", "v1.7.0", "v1.5.6", UpToDate},
{"new version", "v1.5.6", "v1.5.7", UpdateAvailable},
{"new minor version", "v1.5.6", "v1.6.0", UpdateAvailable},
{"new major version", "v1.5.6", "v2.0.0", UpdateAvailable},
{"invalid version", "abcdef", "v1.6.0", UnreleasedVersion},
{"empty version", "", "v1.6.0", UnreleasedVersion},
{"invalid release version", "v1.5.6", "abderf", Unknown},
{"up to date", "v1.5.6", "v1.5.6", UpToDate, false},
{"ahead of version", "v1.7.0", "v1.5.6", UpToDate, false},
{"new version", "v1.5.6", "v1.5.7", UpdateAvailable, false},
{"new minor version", "v1.5.6", "v1.6.0", UpdateAvailable, false},
{"new major version", "v1.5.6", "v2.0.0", UpdateAvailable, false},
{"invalid version", "abcdef", "v1.6.0", UnreleasedVersion, true},
{"empty version", "", "v1.6.0", UnreleasedVersion, true},
{"invalid release version", "v1.5.6", "abderf", Unknown, true},
{"invalid release version string", "v1.5.6", "1.7.8", Unknown, true},
}

for _, tc := range testCases {
tc := tc
t.Run(tc.name, func(t *testing.T) {
state, _, _, _ := CheckIsLatestVersion(context.Background(), func() (string, error) {
state, _, release, _ := CheckIsLatestVersion(context.Background(), func() (string, error) {
return tc.version, nil
}, func(ctx context.Context) (*Release, error) {
return &Release{
Version: tc.releaseVersion,
}, nil
})
require.Equal(t, tc.expectedState, state)
require.Equal(t, tc.expectReleaseNil, release == nil)
})
}
}
Loading