shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-02 20:48:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
a2e1ddb56f4d153fff5cf5b834d6a1b252abb231
coder/provisionerd/runner/init.go
T
Garrett Delfosse a2e1ddb56f fix: validate FileSize in NewDataBuilder to prevent OOM DoS (#25710) 
`NewDataBuilder` allocated `make([]byte, 0, req.FileSize)` using the
client-supplied `int64` with no upper-bound check. The DRPC 4 MiB wire
cap limits message size but not the integer value, so a crafted message
with `FileSize = 1<<40` forces a 1 TiB allocation, triggering an
unrecoverable `runtime.throw` that kills the entire `coderd` process.

Add a `MaxFileSize` constant (100 MiB, matching `HTTPFileMaxBytes` in
`coderd/files.go`) and reject negative or oversized `FileSize`, plus
negative or excessive `Chunks`, before the allocation.
`BytesToDataUpload` also returns an error for oversized data to preserve
the encode/decode round-trip contract. Fix a pre-existing reversed
subtraction in the `Add()` overflow error message.

Closes https://linear.app/codercom/issue/PLAT-231

<details>
<summary>Implementation details</summary>

- `provisionersdk/proto/dataupload.go`: New exported `MaxFileSize`
constant; validation in `NewDataBuilder` and `BytesToDataUpload`. Fixed
reversed subtraction in `Add()` error.
- `provisionersdk/proto/dataupload_test.go`: New
`TestNewDataBuilderValidation` with 7 subtests.
- Updated all 5 callers of `BytesToDataUpload` for new error return.
- Audited all `make([]byte, ...)` in provisioner paths; no other
client-supplied sizes.

</details>

> Generated by Coder Agents on behalf of @f0ssel
2026-05-27 14:30:11 -04:00

159 lines
4.6 KiB
Go
Raw Blame History

package runner
import (
"bytes"
"context"
"time"
"cdr.dev/slog/v3"
"github.com/coder/coder/v2/coderd/tracing"
"github.com/coder/coder/v2/provisionerd/proto"
sdkproto "github.com/coder/coder/v2/provisionersdk/proto"
)
//nolint:revive
func (r *Runner) init(ctx context.Context, omitModules bool, templateArchive []byte, moduleTar []byte) (*sdkproto.InitComplete, *proto.FailedJob) {
ctx, span := r.startTrace(ctx, tracing.FuncName())
defer span.End()
// If `moduleTar` is populated, `init` will send it over in multiple parts. This
// It must be called before the initial request to populate the correct hash if
// there is data to send. This is safe to call on nil or empty slices.
data, chunks, err := sdkproto.BytesToDataUpload(sdkproto.DataUploadType_UPLOAD_TYPE_MODULE_FILES, moduleTar)
if err != nil {
return nil, r.failedJobf("prepare module files upload: %v", err)
}
hash := []byte{}
if len(moduleTar) > 0 {
hash = data.DataHash
}
err = r.session.Send(&sdkproto.Request{Type: &sdkproto.Request_Init{Init: &sdkproto.InitRequest{
TemplateSourceArchive: templateArchive,
OmitModuleFiles: omitModules,
InitialModuleTarHash: hash,
}}})
if err != nil {
return nil, r.failedJobf("send init request: %v", err)
}
// If the module tar exists, send over the data.
if len(moduleTar) > 0 {
err = r.session.Send(&sdkproto.Request{
Type: &sdkproto.Request_File{
File: &sdkproto.FileUpload{
Type: &sdkproto.FileUpload_DataUpload{
DataUpload: data,
},
},
},
})
if err != nil {
return nil, r.failedJobf("send module files data upload: %v", err)
}
for _, c := range chunks {
err = r.session.Send(&sdkproto.Request{
Type: &sdkproto.Request_File{
File: &sdkproto.FileUpload{
Type: &sdkproto.FileUpload_ChunkPiece{
ChunkPiece: c,
},
},
},
})
if err != nil {
return nil, r.failedJobf("send module files chunk: %v", err)
}
}
}
nevermind := make(chan struct{})
defer close(nevermind)
go func() {
select {
case <-nevermind:
return
case <-r.notStopped.Done():
return
case <-r.notCanceled.Done():
_ = r.session.Send(&sdkproto.Request{
Type: &sdkproto.Request_Cancel{
Cancel: &sdkproto.CancelRequest{},
},
})
}
}()
var moduleFilesUpload *sdkproto.DataBuilder
for {
msg, err := r.session.Recv()
if err != nil {
return nil, r.failedJobf("receive init response: %v", err)
}
switch msgType := msg.Type.(type) {
case *sdkproto.Response_Log:
r.logProvisionerJobLog(context.Background(), msgType.Log.Level, "terraform initialization",
slog.F("level", msgType.Log.Level),
slog.F("output", msgType.Log.Output),
)
r.queueLog(ctx, &proto.Log{
Source: proto.LogSource_PROVISIONER,
Level: msgType.Log.Level,
CreatedAt: time.Now().UnixMilli(),
Output: msgType.Log.Output,
Stage: "Initializing Terraform Directory",
})
case *sdkproto.Response_DataUpload:
if omitModules {
return nil, r.failedJobf("received unexpected module files data upload when omitModules is true")
}
c := msgType.DataUpload
if c.UploadType != sdkproto.DataUploadType_UPLOAD_TYPE_MODULE_FILES {
return nil, r.failedJobf("invalid data upload type: %q", c.UploadType)
}
if moduleFilesUpload != nil {
return nil, r.failedJobf("multiple module data uploads received, only expect 1")
}
moduleFilesUpload, err = sdkproto.NewDataBuilder(c)
if err != nil {
return nil, r.failedJobf("create data builder: %s", err.Error())
}
case *sdkproto.Response_ChunkPiece:
if omitModules {
return nil, r.failedJobf("received unexpected module files data upload when omitModules is true")
}
c := msgType.ChunkPiece
if moduleFilesUpload == nil {
return nil, r.failedJobf("received chunk piece before module files data upload")
}
_, err := moduleFilesUpload.Add(c)
if err != nil {
return nil, r.failedJobf("module files, add chunk piece: %s", err.Error())
}
case *sdkproto.Response_Init:
if moduleFilesUpload != nil {
// If files were uploaded in multiple chunks, put them back together.
moduleFilesData, err := moduleFilesUpload.Complete()
if err != nil {
return nil, r.failedJobf("complete module files data upload: %s", err.Error())
}
if !bytes.Equal(msgType.Init.ModuleFilesHash, moduleFilesUpload.Hash) {
return nil, r.failedJobf("module files hash mismatch, uploaded: %x, expected: %x", moduleFilesUpload.Hash, msgType.Init.ModuleFilesHash)
}
msgType.Init.ModuleFiles = moduleFilesData
}
return msgType.Init, nil
default:
return nil, r.failedJobf("unexpected init response type %T", msg.Type)
}
}
}
Reference in New Issue View Git Blame Copy Permalink