Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use status.Error instead of status.Errorf #397

Merged
merged 1 commit into from
Feb 11, 2021
Merged

use status.Error instead of status.Errorf #397

merged 1 commit into from
Feb 11, 2021

Conversation

petermattis
Copy link
Contributor

Use status.Error instead of status.Errorf when the format string is
non-constant and not actually a format string. In the case of the
validator middleware, the error being supplied as a format string could
potentially contain data supplied by an attacker allowing for format
string injection. This doesn't appear to be an actual problem due to
fmt being safe in this regards, but it certainly isn't good practice
to provide a format string that an attacker can control.

Fixes #396

@petermattis
use status.Error instead of status.Errorf
5fdd494 
Use `status.Error` instead of `status.Errorf` when the format string is
non-constant and not actually a format string. In the case of the
validator middleware, the error being supplied as a format string could
potentially contain data supplied by an attacker allowing for format
string injection. This doesn't appear to be an actual problem due to
`fmt` being safe in this regards, but it certainly isn't good practice
to provide a format string that an attacker can control.

Fixes grpc-ecosystem#396
johanbrandhorst
johanbrandhorst approved these changes Feb 11, 2021
View reviewed changes
Copy link
Collaborator

@johanbrandhorst johanbrandhorst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@johanbrandhorst johanbrandhorst merged commit 912313c into grpc-ecosystem:master Feb 11, 2021
@johanbrandhorst
Copy link
Collaborator

Thanks for your contribution! Could you please cherry pick this fix against the v2 branch?

@petermattis petermattis deleted the pmattis/status-error branch February 11, 2021 13:40
@petermattis
Copy link
Contributor Author

Thanks for your contribution! Could you please cherry pick this fix against the v2 branch?

Not any time soon unfortunately.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johanbrandhorst johanbrandhorst johanbrandhorst approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

passing err.Error() to the format string of grpc.Errorf allows format string injection
2 participants
@petermattis @johanbrandhorst