search

rode / grafeas-elasticsearch

An implementation of the Grafeas storage backend based on Elasticsearch
Apache License 2.0
12 stars 5 forks source link

`UpdateOccurrence` should check that the field mask is set #98

Open alexashley opened 2 years ago

alexashley commented 2 years ago

In Grafeas, the mask is plucked off the request and passed to the storage layer without validation, so it can be nil. That causes this panic when the mask is updated:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0xfa4252]
grafeas_1        |
goroutine 32145 [running]:
github.com/rode/grafeas-elasticsearch/go/v1beta1/storage.(*ElasticsearchStorage).UpdateOccurrence(0xc0005a3840, 0x13b6280, 0xc0007ab0e0, 0xc000536409, 0x4, 0xc00053641a, 0x24, 0xc000117000, 0x0, 0x4, ...)
    /workspace/go/v1beta1/storage/elasticsearch.go:397 +0x952
github.com/grafeas/grafeas/go/v1beta1/api.(*API).UpdateOccurrence(0xc0000c60a0, 0x13b6280, 0xc0007ab0e0, 0xc000432a00, 0xc0000c60a0, 0xc0007ab0e0, 0xc00028cba0)
    /go/pkg/mod/github.com/grafeas/grafeas@v0.1.6/go/v1beta1/api/occurrence.go:220 +0x2a4
github.com/grafeas/grafeas/proto/v1beta1/grafeas_go_proto._GrafeasV1Beta1_UpdateOccurrence_Handler(0x11de320, 0xc0000c60a0, 0x13b6280, 0xc0007ab0e0, 0xc000155080, 0x0, 0x13b6280, 0xc0007ab0e0, 0xc00047c480, 0x21e)
    /go/pkg/mod/github.com/grafeas/grafeas@v0.1.6/proto/v1beta1/grafeas_go_proto/grafeas.pb.go:2267 +0x217
google.golang.org/grpc.(*Server).processUnaryRPC(0xc00036d880, 0x13c67b8, 0xc000244d80, 0xc000111100, 0xc0002f6e10, 0x1c18378, 0x0, 0x0, 0x0)
    /go/pkg/mod/google.golang.org/grpc@v1.33.1/server.go:1210 +0x52b
google.golang.org/grpc.(*Server).handleStream(0xc00036d880, 0x13c67b8, 0xc000244d80, 0xc000111100, 0x0)
    /go/pkg/mod/google.golang.org/grpc@v1.33.1/server.go:1533 +0xd0c
google.golang.org/grpc.(*Server).serveStreams.func1.2(0xc0000b8d10, 0xc00036d880, 0x13c67b8, 0xc000244d80, 0xc000111100)
    /go/pkg/mod/google.golang.org/grpc@v1.33.1/server.go:871 +0xab
created by google.golang.org/grpc.(*Server).serveStreams.func1
    /go/pkg/mod/google.golang.org/grpc@v1.33.1/server.go:869 +0x1fd

Either this function could return with an error or initialize an empty mask if it's not set. Either way, malformed requests shouldn't crash the entire server, see #99