Skip to content

Fix panic when an invalid oauth2 name is passed (#20820) #20900

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 22, 2022
Merged

Fix panic when an invalid oauth2 name is passed (#20820) #20900

merged 3 commits into from
Aug 22, 2022

Conversation

zeripath
Copy link
Contributor

Backport #20820

When trying to access an invalid oauth2 link, we get an internal server error and can see a panic stack-trace in logs

Example:
Try to go to this url for a gitea installation
https://<gitea_url>/user/oauth2/DoesNotExist?redirect_to=

It causes an internal server error

Stack trace in log

2022/08/17 01:26:50 routers/web/base.go:134:1() [E] [62fc43da] PANIC: runtime error: invalid memory address or nil pointer dereference
        /usr/local/go/src/runtime/panic.go:220 (0x453095)
        /usr/local/go/src/runtime/signal_unix.go:818 (0x453065)
        /source/routers/web/auth/oauth.go:1100 (0x20f6ef7)
        /source/routers/web/auth/oauth.go:785 (0x20f4684)
        /source/modules/web/wrap_convert.go:47 (0x1f45196)
        /source/modules/web/wrap.go:41 (0x1f433c9)
        /usr/local/go/src/net/http/server.go:2084 (0x93cace)
       <clipped>

Root cause:

In this line here, err is nil. The caller assumes no error and tries to access a nil *Source

@balki @zeripath
Fix panic when an invalid oauth2 name is passed (go-gitea#20820)
b6d425f 
Backport go-gitea#20820

When trying to access an invalid oauth2 link, we get an internal server error and can see a panic stack-trace in logs

Example:
Try to go to this url for a gitea installation
https://<gitea_url>/user/oauth2/DoesNotExist?redirect_to=

It causes an internal server error

Stack trace in log

```
2022/08/17 01:26:50 routers/web/base.go:134:1() [E] [62fc43da] PANIC: runtime error: invalid memory address or nil pointer dereference
        /usr/local/go/src/runtime/panic.go:220 (0x453095)
        /usr/local/go/src/runtime/signal_unix.go:818 (0x453065)
        /source/routers/web/auth/oauth.go:1100 (0x20f6ef7)
        /source/routers/web/auth/oauth.go:785 (0x20f4684)
        /source/modules/web/wrap_convert.go:47 (0x1f45196)
        /source/modules/web/wrap.go:41 (0x1f433c9)
        /usr/local/go/src/net/http/server.go:2084 (0x93cace)
       <clipped>
```

Root cause:

In this [line](https://github.com/go-gitea/gitea/blob/a4e91c4197483c94f13e623c962b6b011494e949/models/auth/oauth2.go#L516) here, err is nil. The caller assumes no error and tries to access a `nil *Source`
@zeripath zeripath added this to the 1.17.2 milestone Aug 21, 2022
@GiteaBot GiteaBot added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Aug 21, 2022
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Aug 21, 2022
@techknowlogick techknowlogick merged commit 37458bf into go-gitea:release/v1.17 Aug 22, 2022
@zeripath zeripath deleted the backport-20820-v1.17 branch August 22, 2022 19:51
@go-gitea go-gitea locked and limited conversation to collaborators May 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@lunny lunny lunny approved these changes

@jolheiser jolheiser jolheiser approved these changes

Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/bug
Projects
None yet
Milestone
1.17.2
Development

Successfully merging this pull request may close these issues.
6 participants
@zeripath @lunny @jolheiser @techknowlogick @GiteaBot @balki