fix: security hardening and stability fixes across orchestrator, transport, and services#13
Merged
mkumatag merged 3 commits intoJul 1, 2026
Conversation
mkumatag
reviewed
Jun 29, 2026
|
|
||
| // TODO: remove this replace directive once IBM/infra-go-sdk#12 is merged. | ||
| // Depends on: https://github.com/IBM/infra-go-sdk/pull/12 | ||
| replace github.com/IBM/infra-go-sdk => ../infra-go-sdk |
…sport, and services - infra/hmclog.go: add sync.Mutex to gate raw file writes against concurrent goroutine interleaving; add response-header and regex scrubbing to maskSession so X-API-Session tokens are redacted on login responses and in XML bodies - validation/validator.go, orchestrator/orchestrator.go: replace raw .LoadBalancer.VIP field access with nil-safe .GetVIP() calls in findClusterUsingVIP and all call-sites to prevent nil pointer dereference panic when load_balancer block is omitted from config.yaml - localexec/client.go: embed os.Getpid() in the WriteFile temp path to prevent cross-cluster race condition when two shiftlaunch processes run concurrently - cmd/create.go: wrap deferred logger Close in anonymous func so it evaluates the current orchestrator pointer at exit time rather than at defer registration - services/downloader.go: wire extractHashFromManifest into DownloadRHCOSImages and DownloadOpenShiftTools; remove test -s skip guard so curl -C - resumes partial downloads instead of accepting truncated files after Ctrl+C - services/registry.go: rewrite pull-secret update command to pass credentials via env variable and jq --arg to prevent bash injection from special chars; add shellQuote helper; fix error string casing and punctuation - infra/controller/network.go: replace awk column-split with grep -oP regex in RemoveVIPAlias to be robust against shifted ip -o output columns - go.mod: add replace directive for IBM/infra-go-sdk pending IBM/infra-go-sdk#12 Signed-off-by: SUDEESH JOHN <sudeeshjohn@in.ibm.com>
3c58edf to
c6cd9d8
Compare
Both CVEs are HIGH severity fixes in Go stdlib 1.26.4: - CVE-2026-27145: x509 VerifyHostname hostname matching flaw - CVE-2026-42504: MIME header decoding DoS via malformed encoded-words Signed-off-by: SUDEESH JOHN <sudeeshjohn@in.ibm.com>
mkumatag
requested changes
Jun 30, 2026
mkumatag
left a comment
Member
There was a problem hiding this comment.
Code Review
Overall this is a well-structured hardening and stability pass. The transport middleware refactor, session-token masking, shell-injection fix in registry.go, nil-guard on LoadBalancer, and the defer func(){}() fix are all clean and correct.
I've left inline comments on 4 items that need attention before merge: 2 correctness bugs and 2 nits.
Member
|
@sudeeshjohn these are the bob's review comments, please take a look.. |
2a53fc3 to
5d66757
Compare
logger/logger.go: - New() no longer propagates log-file open error to caller; file log is optional — warn to stderr and continue rather than aborting - Remove duplicate UpdateText() call in Info() spinner path (first call was dead code, immediately overwritten by the second) - Simplify 'err == nil && file != nil' guard to 'err == nil' (the nil file check is always redundant when err is nil) - TerminalOnly() returned os.Stdout; corrected to os.Stderr to match every other output path in the logger - Fix gofmt indentation on fileOpts struct literal (fields were double-indented relative to their enclosing block) services/downloader.go: - Replace silent exec.Execute(mkdir -p) with os.MkdirAll so directory creation failures are surfaced immediately with a clear error - Quote all paths and URLs passed to shell via shellQuote() to prevent shell injection and handle paths with spaces or special characters; add -- end-of-options to curl invocations - Replace shell-out sha256sum|awk with pure-Go crypto/sha256+io.Copy in verifyFileHash — no injection surface, portable, faster - Replace shell-out test -f + grep|awk in extractHashFromManifest with os.Stat + os.ReadFile + strings.Fields — eliminates regex metachar injection risk from filenames - Replace exec rm -f for stale manifest with os.Remove - Fix extractOpenShiftTools to use 'tar -xzf <archive> -C <dir>' instead of 'cd <dir> && tar -xzf <name>' — safer with quoted paths - Reuse rhcosDir in manifestPath join (was duplicating the base path) - Remove stale commit-message comment from DownloadAll - Fix missing space after // in two inline comments (golint) - Drop 'FATAL:' prefix from checksum mismatch error (non-idiomatic) infra/hmclog.go: - Check io.ReadAll error before restoring resp.Body; previously a partial read would hand a corrupt body back to the caller before the error was eventually checked and returned Signed-off-by: SUDEESH JOHN <sudeeshjohn@in.ibm.com>
5d66757 to
4944c42
Compare
mkumatag
approved these changes
Jul 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR addresses a set of critical security flaws, concurrency bugs, and logical issues identified across the ShiftLaunch codebase.
Changes
🔒 Security
infra/hmclog.go— Session token leak in HMC debug transportmaskSessiononly checked the request header forX-API-Session. Duringclient.Login()the token is returned in the response header and XML body, so it was written todeployment.login plain text.resp.Header.Get("X-API-Session")<X-API-Session>…</X-API-Session>in the XML bodysync.Mutex(logMu) to gate raw*os.Filewrites against concurrent goroutine interleavingservices/registry.go— Bash injection in pull-secret updateusernameandpasswordwere interpolated directly into the shell command string. A password containing',", or$would silently corruptpull-secret-updated.json.shellQuotehelper (POSIX single-quote escaping)env.REG_TOKEN— never appears in the filter stringregistryURLpassed viajq --arg hostas an opaque bound variable($host)shellQuoteto handle spaces in workspace paths🚨 Critical Bugs
validation/validator.go,orchestrator/orchestrator.go— Nil pointer dereference panicLoadBalanceris*ServiceLoadBalancer. Omittingload_balancer:from config leaves itnil. Direct.VIPfield access panics immediately. Replaced all accesses with the existing nil-safe.GetVIP()getter fromtypes.go.localexec/client.go— Cross-cluster race condition inWriteFileTemp file path was
filename.tmp— identical across concurrent processes. Two simultaneousshiftlaunch createruns overwrite each other's staged configs. Fixed by embeddingos.Getpid()in the temp path.cmd/create.go— File descriptor leak on logger reassignmentdefer orch.GetLogger().Close()evaluates the pointer at registration, not at exit. Iforchis replaced later (deleted workspace path), the new logger's file descriptor leaks. Fixed withdefer func() { orch.GetLogger().Close() }().services/downloader.go— Partial download corruptiontest -saccepted truncated files left by an interrupted download (Ctrl+C), causing kernel panics on LPAR boot. Removed the skip guard —curl -C -handles the already-complete case natively. Also wired the previously deadextractHashFromManifestinto both download functions.infra/controller/network.go— Fragile awk column parsingawk '{print $4}'breaks whenip -ooutput columns shift due to interface labels or routing flags, orphaning VIP aliases on teardown. Replaced withgrep -oP '\d+\.\d+\.\d+\.\d+/\d+'.Dependency
Depends on IBM/infra-go-sdk#12 (now merged).
go.modis pinned to the merged commitv0.0.0-20260630034014-da6ea8cba64dwith noreplacedirective.Signed-off-by: SUDEESH JOHN sudeeshjohn@in.ibm.com