Fix RPM resource leak (#31794)
Fixes a resource leak introduced by #27069. - add defer - move sign code out of `repository.go`
This commit is contained in:
parent
de2787a493
commit
3862b31abb
@ -133,19 +133,20 @@ func UploadPackageFile(ctx *context.Context) {
|
|||||||
}
|
}
|
||||||
defer buf.Close()
|
defer buf.Close()
|
||||||
|
|
||||||
// if rpm sign enabled
|
|
||||||
if setting.Packages.DefaultRPMSignEnabled || ctx.FormBool("sign") {
|
if setting.Packages.DefaultRPMSignEnabled || ctx.FormBool("sign") {
|
||||||
pri, _, err := rpm_service.GetOrCreateKeyPair(ctx, ctx.Package.Owner.ID)
|
priv, _, err := rpm_service.GetOrCreateKeyPair(ctx, ctx.Package.Owner.ID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
apiError(ctx, http.StatusInternalServerError, err)
|
apiError(ctx, http.StatusInternalServerError, err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
buf, err = rpm_service.SignPackage(buf, pri)
|
signedBuf, err := rpm_service.SignPackage(buf, priv)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
// Not in rpm format, parsing failed.
|
|
||||||
apiError(ctx, http.StatusBadRequest, err)
|
apiError(ctx, http.StatusBadRequest, err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
defer signedBuf.Close()
|
||||||
|
|
||||||
|
buf = signedBuf
|
||||||
}
|
}
|
||||||
|
|
||||||
pck, err := rpm_module.ParsePackage(buf)
|
pck, err := rpm_module.ParsePackage(buf)
|
||||||
|
@ -21,7 +21,6 @@ import (
|
|||||||
rpm_model "code.gitea.io/gitea/models/packages/rpm"
|
rpm_model "code.gitea.io/gitea/models/packages/rpm"
|
||||||
user_model "code.gitea.io/gitea/models/user"
|
user_model "code.gitea.io/gitea/models/user"
|
||||||
"code.gitea.io/gitea/modules/json"
|
"code.gitea.io/gitea/modules/json"
|
||||||
"code.gitea.io/gitea/modules/log"
|
|
||||||
packages_module "code.gitea.io/gitea/modules/packages"
|
packages_module "code.gitea.io/gitea/modules/packages"
|
||||||
rpm_module "code.gitea.io/gitea/modules/packages/rpm"
|
rpm_module "code.gitea.io/gitea/modules/packages/rpm"
|
||||||
"code.gitea.io/gitea/modules/util"
|
"code.gitea.io/gitea/modules/util"
|
||||||
@ -30,7 +29,6 @@ import (
|
|||||||
"github.com/ProtonMail/go-crypto/openpgp"
|
"github.com/ProtonMail/go-crypto/openpgp"
|
||||||
"github.com/ProtonMail/go-crypto/openpgp/armor"
|
"github.com/ProtonMail/go-crypto/openpgp/armor"
|
||||||
"github.com/ProtonMail/go-crypto/openpgp/packet"
|
"github.com/ProtonMail/go-crypto/openpgp/packet"
|
||||||
"github.com/sassoftware/go-rpmutils"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
// GetOrCreateRepositoryVersion gets or creates the internal repository package
|
// GetOrCreateRepositoryVersion gets or creates the internal repository package
|
||||||
@ -643,33 +641,3 @@ func addDataAsFileToRepo(ctx context.Context, pv *packages_model.PackageVersion,
|
|||||||
OpenSize: wc.Written(),
|
OpenSize: wc.Written(),
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func SignPackage(rpm *packages_module.HashedBuffer, privateKey string) (*packages_module.HashedBuffer, error) {
|
|
||||||
keyring, err := openpgp.ReadArmoredKeyRing(bytes.NewReader([]byte(privateKey)))
|
|
||||||
if err != nil {
|
|
||||||
// failed to parse key
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
entity := keyring[0]
|
|
||||||
h, err := rpmutils.SignRpmStream(rpm, entity.PrivateKey, nil)
|
|
||||||
if err != nil {
|
|
||||||
// error signing rpm
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
signBlob, err := h.DumpSignatureHeader(false)
|
|
||||||
if err != nil {
|
|
||||||
// error writing sig header
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
if len(signBlob)%8 != 0 {
|
|
||||||
log.Info("incorrect padding: got %d bytes, expected a multiple of 8", len(signBlob))
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
// move fp to sign end
|
|
||||||
if _, err := rpm.Seek(int64(h.OriginalSignatureHeaderSize()), io.SeekStart); err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
// create signed rpm buf
|
|
||||||
return packages_module.CreateHashedBufferFromReader(io.MultiReader(bytes.NewReader(signBlob), rpm))
|
|
||||||
}
|
|
||||||
|
39
services/packages/rpm/sign.go
Normal file
39
services/packages/rpm/sign.go
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
// Copyright 2024 The Gitea Authors. All rights reserved.
|
||||||
|
// SPDX-License-Identifier: MIT
|
||||||
|
|
||||||
|
package rpm
|
||||||
|
|
||||||
|
import (
|
||||||
|
"bytes"
|
||||||
|
"io"
|
||||||
|
"strings"
|
||||||
|
|
||||||
|
packages_module "code.gitea.io/gitea/modules/packages"
|
||||||
|
|
||||||
|
"github.com/ProtonMail/go-crypto/openpgp"
|
||||||
|
"github.com/sassoftware/go-rpmutils"
|
||||||
|
)
|
||||||
|
|
||||||
|
func SignPackage(buf *packages_module.HashedBuffer, privateKey string) (*packages_module.HashedBuffer, error) {
|
||||||
|
keyring, err := openpgp.ReadArmoredKeyRing(strings.NewReader(privateKey))
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
h, err := rpmutils.SignRpmStream(buf, keyring[0].PrivateKey, nil)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
signBlob, err := h.DumpSignatureHeader(false)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
if _, err := buf.Seek(int64(h.OriginalSignatureHeaderSize()), io.SeekStart); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
// create new buf with signature prefix
|
||||||
|
return packages_module.CreateHashedBufferFromReader(io.MultiReader(bytes.NewReader(signBlob), buf))
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user