fix(kubectl-plugin/log): validate header.Mode and release fds per iteration#4728
fix(kubectl-plugin/log): validate header.Mode and release fds per iteration#4728SAY-5 wants to merge 2 commits intoray-project:masterfrom
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Reviewed by Cursor Bugbot for commit 145d519. Configure here.
…ration downloadRayLogFiles had three related problems flagged in ray-project#4695: 1. gosec G115: tar.Header.Mode is int64 but os.FileMode is uint32. The existing overflow check was non-fatal: it printed a warning and then proceeded to cast the overflowing value anyway. A malformed or hostile tar header could therefore ask for unexpected mode bits. Reject the file early (using 'break', not 'continue', so the for-loop below still calls tarReader.Next and does not spin on the bad entry) and cast explicitly through uint32 so gosec is happy. 2. File-descriptor leak: outFile.Close was registered with 'defer' inside the extraction loop, so every opened file stayed open until downloadRayLogFiles returned. Extracting a large log tar could hit the 'too many open files' ulimit. Wrap the per-file copy in a closure so the deferred Close runs at end of iteration. 3. Minor: fix the user-visible message ('out side' -> 'outside', 'accceptable' -> 'acceptable', include the file name, add a newline). Fixes ray-project#4695 Signed-off-by: Sai Asish Y <say.apm35@gmail.com>
|
Thanks @cursor for catching this — that was a real bug. Fixed by using |
SAY-5
force-pushed
the
fix-g115-fdleak-log-4695
branch
from
c11b8c9 to
53dc837
Compare
|
Since this changes the behavior in
|
…ject#4728 review @hango880623 review asked for: * a test that exercises the invalid-Mode skip path; * one that proves extraction continues past the bad entry; * a more flexible tar test helper. Refactor the existing createFakeTarFile() onto a new buildFakeTarFile([]fakeTarEntry) helper so tests can drop arbitrary entries (modes, ordering, etc.) without redefining the boilerplate. The original helper is preserved as a thin wrapper so the existing TestDownloadRayLogFiles test does not move. Add TestDownloadRayLogFiles_SkipsInvalidMode: builds a tar with a valid entry (good_before.txt), an out-of-range Mode entry (math.MaxUint32+1, the smallest int64 that fails the bounds check), and a third valid entry (good_after.txt). Asserts: * downloadRayLogFiles returns no error; * good_before.txt and good_after.txt land on disk; * bad_mode.txt is skipped (not written). This pins the regression behind the G115 fix in this PR — both the bounds rejection and the 'fall through to tarReader.Next() instead of spinning' fix from the earlier review round. Signed-off-by: SAY-5 <SAY-5@users.noreply.github.com>
|
Hi @hango880623, thanks for the review. Pushed both pieces in
|
2 participants
Fixes #4695.
What
ClusterLogOptions.downloadRayLogFilesinkubectl-plugin/pkg/cmd/log/log.gohad three issues called out in the bug:gosec G115 (integer overflow).
tar.Header.Modeisint64,os.FileModeisuint32. The existing overflow check printed a warning but then fell through toos.FileMode(header.Mode)anyway, so a crafted tar header could still apply unexpected mode bits. Now wecontinuewhen the mode is out of range and cast explicitly throughuint32so the G115 diagnostic is honoured:File-descriptor leak.
defer outFile.Close()sat inside the extraction loop, so every opened file stayed open untildownloadRayLogFilesreturned. Extracting a large log tar can hit thetoo many open filesulimit. The copy is now wrapped in an IIFE so thedeferfires at the end of each iteration:Error message quality.
out side→outside,accceptable→acceptable, include the offending filename, add a newline.Why
(1) is a security improvement (gosec was right), (2) is a reliability improvement for large log tars, and (3) is housekeeping that falls out of touching the surrounding block anyway.
Signed off per DCO.