Open bradbeck opened 5 months ago
the panic should be fixed by #1113, specifically these lines in signing.go
- b := o.Backends[backend]
+ logger.Infof("signable storage backends: %v", signableType.StorageBackend(cfg))
+ logger.Infof("o.Backends(): %v", o.Backends)
+
+ b, ok := o.Backends[backend]
+ if !ok {
+ backendErr := fmt.Errorf("could not find backend '%s' in configured backends (%v) while trying sign: %s/%s", backend, maps.Keys(o.Backends), tektonObj.GetKindName(), tektonObj.GetName())
+ logger.Error(backendErr)
+ merr = multierror.Append(merr, backendErr)
+ continue
+ }
+
however, it will not fix the underlying issue (^
in password)
that said, chains doesn't really parse MONGO_SERVER_URL
in any way, so i suspect this might be coming from https://github.com/google/go-cloud/tree/master/docstore/mongodocstore
It appears that there may be an issue with go.mongodb.org/mongo-driver v1.13.1
. In local testing this version of the driver appears to fail in this way. v1.12.0
, v1.13.2
, v1.14.0
and v1.15.0
do not appear to fail in this way, at least based on my testing.
The following assumes there is a MongoDB server running locally with a tekton-chains
user and a tekton-chains
database with a bar
collection defined.
package main
import (
"context"
"fmt"
"go.mongodb.org/mongo-driver/bson"
"go.mongodb.org/mongo-driver/mongo"
"go.mongodb.org/mongo-driver/mongo/options"
)
func main() {
uri := "mongodb://tekton-chains:foo^bar@localhost:27017/?authSource=admin"
client, err := mongo.Connect(context.TODO(), options.Client().ApplyURI(uri))
if err != nil {
panic(err)
}
defer func() {
if err := client.Disconnect(context.TODO()); err != nil {
panic(err)
}
}()
names, err := client.Database("tekton-chains").ListCollectionNames(context.TODO(), bson.D{})
if err != nil {
panic(err)
}
for i, name := range names {
fmt.Printf("%d: %s\n", i, name)
}
}
$ go get go.mongodb.org/mongo-driver@v1.13.1
...
$ go run main.go
panic: parse "mongodb://tekton-chains:foo^bar@localhost:27017/?authSource=admin": net/url: invalid userinfo
goroutine 1 [running]:
main.main()
/Users/bradbeck/github/bradbeck/mongo-client/main.go:16 +0x214
exit status 2
$ go get go.mongodb.org/mongo-driver@v1.13.2
go: upgraded go.mongodb.org/mongo-driver v1.13.1 => v1.13.2
$ go run main.go
0: bar
Expected Behavior
The user should be able to have a MongoDB password that contains a
^
as part ofMONGO_SERVER_URL
without causing a panic.^
seems to be valid without encoding when usingmongosh
and is not listed as one of the characters that is required to be encoded in the MongoDB documentation.Actual Behavior
Having a password as part of
MONGO_SERVER_URL
that contains^
causes a null pointer access panic when attempting to store payloads.Steps to Reproduce the Problem
^
in the MongoDB password used inMONGO_SERVER_URL
Chains will panic:
Additional Info
Kubernetes version:
Tekton Pipeline version: