fluxcd
/
kustomize-controller
mirror of https://github.com/fluxcd/kustomize-controller.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #691 from fluxcd/sops-recover-store-panic

This commit is contained in:
Hidde Beydals 2022-07-13 16:08:49 +02:00 committed by GitHub
parent fa4facb1a3 2cdc9a578d
commit 1c661ad7c0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
controllers/kustomization_decryptor.go
View File

@ -57,7 +57,7 @@ const (
// DecryptionProviderSOPS is the SOPS provider name. // DecryptionProviderSOPS is the SOPS provider name.
DecryptionProviderSOPS = "sops" DecryptionProviderSOPS = "sops"
// DecryptionPGPExt is the extension of the file containing an armored PGP // DecryptionPGPExt is the extension of the file containing an armored PGP
//key. // key.
DecryptionPGPExt = ".asc" DecryptionPGPExt = ".asc"
// DecryptionAgeExt is the extension of the file containing an age key // DecryptionAgeExt is the extension of the file containing an age key
// file. // file.
@ -263,7 +263,16 @@ func (d *KustomizeDecryptor) ImportKeys(ctx context.Context) error {
// for the input format, gathers the data key for it from the key service, // for the input format, gathers the data key for it from the key service,
// and then decrypts the file data with the retrieved data key. // and then decrypts the file data with the retrieved data key.
// It returns the decrypted bytes in the provided output format, or an error. // It returns the decrypted bytes in the provided output format, or an error.
func (d *KustomizeDecryptor) SopsDecryptWithFormat(data []byte, inputFormat, outputFormat formats.Format) ([]byte, error) { func (d *KustomizeDecryptor) SopsDecryptWithFormat(data []byte, inputFormat, outputFormat formats.Format) (_ []byte, err error) {
defer func() {
// It was discovered that malicious input and/or output instructions can
// make SOPS panic. Recover from this panic and return as an error.
if r := recover(); r != nil {
err = fmt.Errorf("failed to emit encrypted %s file as decrypted %s: %v",
sopsFormatToString[inputFormat], sopsFormatToString[outputFormat], r)
}
}()
store := common.StoreForFormat(inputFormat) store := common.StoreForFormat(inputFormat)
tree, err := store.LoadEncryptedFile(data) tree, err := store.LoadEncryptedFile(data)