projects / arvados.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1ce5dff)
14262: Avoid out-of-bounds panics checking cluster prefixes
authorPeter Amstutz <pamstutz@veritasgenetics.com>
Thu, 1 Nov 2018 19:14:14 +0000 (15:14 -0400)
committerPeter Amstutz <pamstutz@veritasgenetics.com>
Thu, 1 Nov 2018 19:18:06 +0000 (15:18 -0400)
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <pamstutz@veritasgenetics.com>

lib/controller/fed_containers.go patch | blob | history
lib/controller/fed_generic.go patch | blob | history

diff --git a/lib/controller/fed_containers.go b/lib/controller/fed_containers.go
index e4c80a32cc16bd36d3b45a84077500e186e30304..5c5501d22c73767f87f74d5b5439927c4c4282bb 100644 (file)
--- a/lib/controller/fed_containers.go
+++ b/lib/controller/fed_containers.go
@@ -10,6 +10,7 @@ import (
        "fmt"
        "io/ioutil"
        "net/http"
+       "strings"
 
        "git.curoverse.com/arvados.git/sdk/go/auth"
        "git.curoverse.com/arvados.git/sdk/go/httpserver"
@@ -79,7 +80,7 @@ func remoteContainerRequestCreate(
                }
 
                // Must be home cluster for this authorization
-               if currentUser.Authorization.UUID[0:5] == h.handler.Cluster.ClusterID {
+               if strings.HasPrefix(currentUser.Authorization.UUID, h.handler.Cluster.ClusterID) {
                        newtok, err := h.handler.createAPItoken(req, currentUser.UUID, nil)
                        if err != nil {
                                httpserver.Error(w, err.Error(), http.StatusForbidden)
diff --git a/lib/controller/fed_generic.go b/lib/controller/fed_generic.go
index 63e61e6908f8b318ead4e151bd13dee302c815d3..6c8135cf91253a004971399ef0a49a5fe07bf34d 100644 (file)
--- a/lib/controller/fed_generic.go
+++ b/lib/controller/fed_generic.go
@@ -140,7 +140,7 @@ func (h *genericFederatedRequestHandler) handleMultiClusterQuery(w http.Response
                if op == "in" {
                        if rhs, ok := filter[2].([]interface{}); ok {
                                for _, i := range rhs {
-                                       if u, ok := i.(string); ok {
+                                       if u, ok := i.(string); ok && len(u) == 27 {
                                                *clusterId = u[0:5]
                                                queryClusters[u[0:5]] = append(queryClusters[u[0:5]], u)
                                                expectCount += 1
@@ -148,7 +148,7 @@ func (h *genericFederatedRequestHandler) handleMultiClusterQuery(w http.Response
                                }
                        }
                } else if op == "=" {
-                       if u, ok := filter[2].(string); ok {
+                       if u, ok := filter[2].(string); ok && len(u) == 27 {
                                *clusterId = u[0:5]
                                queryClusters[u[0:5]] = append(queryClusters[u[0:5]], u)
                                expectCount += 1