Ensure sorting of chunks before extracting it's size

* Better error messages for decoding in log

Author: ChristopherHX

routers/api/actions/artifactsv4.go

@@ -95,6 +95,7 @@ import (
 	"io"
 	"net/http"
 	"net/url"
+	"sort"
 	"strconv"
 	"strings"
 	"time"
@@ -181,10 +182,15 @@ func (r artifactV4Routes) verifySignature(ctx *ArtifactContext, endp string) (*a
 	sig := ctx.Req.URL.Query().Get("sig")
 	expires := ctx.Req.URL.Query().Get("expires")
 	artifactName := ctx.Req.URL.Query().Get("artifactName")
-	dsig, _ := base64.RawURLEncoding.DecodeString(sig)
-	taskID, _ := strconv.ParseInt(rawTaskID, 10, 64)
-	artifactID, _ := strconv.ParseInt(rawArtifactID, 10, 64)
-
+	dsig, errSig := base64.RawURLEncoding.DecodeString(sig)
+	taskID, errTask := strconv.ParseInt(rawTaskID, 10, 64)
+	artifactID, errArtifactID := strconv.ParseInt(rawArtifactID, 10, 64)
+	err := errors.Join(errSig, errTask, errArtifactID)
+	if err != nil {
+		log.Error("Error decoding signature values: %v", err)
+		ctx.HTTPError(http.StatusBadRequest, "Error decoding signature values")
+		return nil, "", false
+	}
 	expecedsig := r.buildSignature(endp, expires, artifactName, taskID, artifactID)
 	if !hmac.Equal(dsig, expecedsig) {
 		log.Error("Error unauthorized")
@@ -406,6 +412,9 @@ func (r *artifactV4Routes) finalizeArtifact(ctx *ArtifactContext) {
 		ctx.HTTPError(http.StatusInternalServerError, "Error merge chunks")
 		return
 	}
+	sort.Slice(chunks, func(i, j int) bool {
+		return chunks[i].Start < chunks[j].Start
+	})
 	artifact.FileSize = chunks[len(chunks)-1].End + 1
 	artifact.FileCompressedSize = chunks[len(chunks)-1].End + 1
 

tests/integration/api_actions_artifact_v4_test.go

@@ -101,78 +101,80 @@ func TestActionsArtifactV4UploadSingleFile(t *testing.T) {
 	}
 
 	for _, entry := range table {
-		// acquire artifact upload url
-		req := NewRequestWithBody(t, "POST", "/twirp/github.actions.results.api.v1.ArtifactService/CreateArtifact", toProtoJSON(&actions.CreateArtifactRequest{
-			Version:                 entry.version,
-			Name:                    entry.name,
-			WorkflowRunBackendId:    "792",
-			WorkflowJobRunBackendId: "193",
-		})).AddTokenAuth(token)
-		resp := MakeRequest(t, req, http.StatusOK)
-		var uploadResp actions.CreateArtifactResponse
-		protojson.Unmarshal(resp.Body.Bytes(), &uploadResp)
-		assert.True(t, uploadResp.Ok)
-		assert.Contains(t, uploadResp.SignedUploadUrl, "/twirp/github.actions.results.api.v1.ArtifactService/UploadArtifact")
-
-		h := sha256.New()
-
-		blocks := make([]string, 0, util.Iif(entry.blockID, entry.append+1, 0))
-
-		// get upload url
-		idx := strings.Index(uploadResp.SignedUploadUrl, "/twirp/")
-		for i := range entry.append + 1 {
-			url := uploadResp.SignedUploadUrl[idx:]
-			// See https://learn.microsoft.com/en-us/rest/api/storageservices/append-block
-			// See https://learn.microsoft.com/en-us/rest/api/storageservices/put-block
-			if entry.blockID {
-				blockID := base64.RawURLEncoding.EncodeToString(fmt.Append([]byte("SOME_BIG_BLOCK_ID_"), i))
-				blocks = append(blocks, blockID)
-				url += "&comp=block&blockid=" + blockID
-			} else {
-				url += "&comp=appendBlock"
+		t.Run(entry.name, func(t *testing.T) {
+			// acquire artifact upload url
+			req := NewRequestWithBody(t, "POST", "/twirp/github.actions.results.api.v1.ArtifactService/CreateArtifact", toProtoJSON(&actions.CreateArtifactRequest{
+				Version:                 entry.version,
+				Name:                    entry.name,
+				WorkflowRunBackendId:    "792",
+				WorkflowJobRunBackendId: "193",
+			})).AddTokenAuth(token)
+			resp := MakeRequest(t, req, http.StatusOK)
+			var uploadResp actions.CreateArtifactResponse
+			protojson.Unmarshal(resp.Body.Bytes(), &uploadResp)
+			assert.True(t, uploadResp.Ok)
+			assert.Contains(t, uploadResp.SignedUploadUrl, "/twirp/github.actions.results.api.v1.ArtifactService/UploadArtifact")
+
+			h := sha256.New()
+
+			blocks := make([]string, 0, util.Iif(entry.blockID, entry.append+1, 0))
+
+			// get upload url
+			idx := strings.Index(uploadResp.SignedUploadUrl, "/twirp/")
+			for i := range entry.append + 1 {
+				url := uploadResp.SignedUploadUrl[idx:]
+				// See https://learn.microsoft.com/en-us/rest/api/storageservices/append-block
+				// See https://learn.microsoft.com/en-us/rest/api/storageservices/put-block
+				if entry.blockID {
+					blockID := base64.RawURLEncoding.EncodeToString(fmt.Append([]byte("SOME_BIG_BLOCK_ID_"), i))
+					blocks = append(blocks, blockID)
+					url += "&comp=block&blockid=" + blockID
+				} else {
+					url += "&comp=appendBlock"
+				}
+
+				// upload artifact chunk
+				body := strings.Repeat("A", 1024)
+				_, _ = h.Write([]byte(body))
+				var bodyReader io.Reader = strings.NewReader(body)
+				if entry.noLength {
+					bodyReader = io.MultiReader(bodyReader)
+				}
+				req = NewRequestWithBody(t, "PUT", url, bodyReader)
+				MakeRequest(t, req, http.StatusCreated)
 			}
 
-			// upload artifact chunk
-			body := strings.Repeat("A", 1024)
-			_, _ = h.Write([]byte(body))
-			var bodyReader io.Reader = strings.NewReader(body)
-			if entry.noLength {
-				bodyReader = io.MultiReader(bodyReader)
+			if entry.blockID && entry.append > 0 {
+				// https://learn.microsoft.com/en-us/rest/api/storageservices/put-block-list
+				blockListURL := uploadResp.SignedUploadUrl[idx:] + "&comp=blocklist"
+				// upload artifact blockList
+				blockList := &actions.BlockList{
+					Latest: blocks,
+				}
+				rawBlockList, err := xml.Marshal(blockList)
+				assert.NoError(t, err)
+				req = NewRequestWithBody(t, "PUT", blockListURL, bytes.NewReader(rawBlockList))
+				MakeRequest(t, req, http.StatusCreated)
 			}
-			req = NewRequestWithBody(t, "PUT", url, bodyReader)
-			MakeRequest(t, req, http.StatusCreated)
-		}
-
-		if entry.blockID && entry.append > 0 {
-			// https://learn.microsoft.com/en-us/rest/api/storageservices/put-block-list
-			blockListURL := uploadResp.SignedUploadUrl[idx:] + "&comp=blocklist"
-			// upload artifact blockList
-			blockList := &actions.BlockList{
-				Latest: blocks,
-			}
-			rawBlockList, err := xml.Marshal(blockList)
-			assert.NoError(t, err)
-			req = NewRequestWithBody(t, "PUT", blockListURL, bytes.NewReader(rawBlockList))
-			MakeRequest(t, req, http.StatusCreated)
-		}
-
-		sha := h.Sum(nil)
-
-		t.Logf("Create artifact confirm")
-
-		// confirm artifact upload
-		req = NewRequestWithBody(t, "POST", "/twirp/github.actions.results.api.v1.ArtifactService/FinalizeArtifact", toProtoJSON(&actions.FinalizeArtifactRequest{
-			Name:                    entry.name,
-			Size:                    int64(entry.append+1) * 1024,
-			Hash:                    wrapperspb.String("sha256:" + hex.EncodeToString(sha)),
-			WorkflowRunBackendId:    "792",
-			WorkflowJobRunBackendId: "193",
-		})).
-			AddTokenAuth(token)
-		resp = MakeRequest(t, req, http.StatusOK)
-		var finalizeResp actions.FinalizeArtifactResponse
-		protojson.Unmarshal(resp.Body.Bytes(), &finalizeResp)
-		assert.True(t, finalizeResp.Ok)
+
+			sha := h.Sum(nil)
+
+			t.Logf("Create artifact confirm")
+
+			// confirm artifact upload
+			req = NewRequestWithBody(t, "POST", "/twirp/github.actions.results.api.v1.ArtifactService/FinalizeArtifact", toProtoJSON(&actions.FinalizeArtifactRequest{
+				Name:                    entry.name,
+				Size:                    int64(entry.append+1) * 1024,
+				Hash:                    wrapperspb.String("sha256:" + hex.EncodeToString(sha)),
+				WorkflowRunBackendId:    "792",
+				WorkflowJobRunBackendId: "193",
+			})).
+				AddTokenAuth(token)
+			resp = MakeRequest(t, req, http.StatusOK)
+			var finalizeResp actions.FinalizeArtifactResponse
+			protojson.Unmarshal(resp.Body.Bytes(), &finalizeResp)
+			assert.True(t, finalizeResp.Ok)
+		})
 	}
 }