Skip to content

Fix panic when an invalid oauth2 name is passed (#20820)#20900

Merged
techknowlogick merged 3 commits into
go-gitea:release/v1.17from
zeripath:backport-20820-v1.17
Aug 22, 2022
Merged

Fix panic when an invalid oauth2 name is passed (#20820)#20900
techknowlogick merged 3 commits into
go-gitea:release/v1.17from
zeripath:backport-20820-v1.17

Conversation

@zeripath
Copy link
Copy Markdown
Contributor

@zeripath zeripath commented Aug 21, 2022

Backport #20820

When trying to access an invalid oauth2 link, we get an internal server error and can see a panic stack-trace in logs

Example:
Try to go to this url for a gitea installation
https://<gitea_url>/user/oauth2/DoesNotExist?redirect_to=

It causes an internal server error

Stack trace in log

2022/08/17 01:26:50 routers/web/base.go:134:1() [E] [62fc43da] PANIC: runtime error: invalid memory address or nil pointer dereference
        /usr/local/go/src/runtime/panic.go:220 (0x453095)
        /usr/local/go/src/runtime/signal_unix.go:818 (0x453065)
        /source/routers/web/auth/oauth.go:1100 (0x20f6ef7)
        /source/routers/web/auth/oauth.go:785 (0x20f4684)
        /source/modules/web/wrap_convert.go:47 (0x1f45196)
        /source/modules/web/wrap.go:41 (0x1f433c9)
        /usr/local/go/src/net/http/server.go:2084 (0x93cace)
       <clipped>

Root cause:

In this line here, err is nil. The caller assumes no error and tries to access a nil *Source

@balki @zeripath
Fix panic when an invalid oauth2 name is passed (go-gitea#20820)
b6d425f 
Backport go-gitea#20820

When trying to access an invalid oauth2 link, we get an internal server error and can see a panic stack-trace in logs

Example:
Try to go to this url for a gitea installation
https://<gitea_url>/user/oauth2/DoesNotExist?redirect_to=

It causes an internal server error

Stack trace in log

```
2022/08/17 01:26:50 routers/web/base.go:134:1() [E] [62fc43da] PANIC: runtime error: invalid memory address or nil pointer dereference
        /usr/local/go/src/runtime/panic.go:220 (0x453095)
        /usr/local/go/src/runtime/signal_unix.go:818 (0x453065)
        /source/routers/web/auth/oauth.go:1100 (0x20f6ef7)
        /source/routers/web/auth/oauth.go:785 (0x20f4684)
        /source/modules/web/wrap_convert.go:47 (0x1f45196)
        /source/modules/web/wrap.go:41 (0x1f433c9)
        /usr/local/go/src/net/http/server.go:2084 (0x93cace)
       <clipped>
```

Root cause:

In this [line](https://github.com/go-gitea/gitea/blob/a4e91c4197483c94f13e623c962b6b011494e949/models/auth/oauth2.go#L516) here, err is nil. The caller assumes no error and tries to access a `nil *Source`
@zeripath zeripath added this to the 1.17.2 milestone Aug 21, 2022
@GiteaBot GiteaBot added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Aug 21, 2022
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Aug 21, 2022
@techknowlogick techknowlogick merged commit 37458bf into go-gitea:release/v1.17 Aug 22, 2022
@zeripath zeripath deleted the backport-20820-v1.17 branch August 22, 2022 19:51
@go-gitea go-gitea locked and limited conversation to collaborators May 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@lunny lunny lunny approved these changes

+1 more reviewer

@jolheiser jolheiser jolheiser approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/bug

Projects

None yet

Milestone

1.17.2

Development

Successfully merging this pull request may close these issues.

6 participants

@zeripath @lunny @jolheiser @techknowlogick @GiteaBot @balki