fix: fix potential connection leaks on non-ok http status codes

mgoetzegb · mgoetzegb · commit f9043d1bf1a7 · 2025-11-28T12:48:27.000+01:00
Even the response of a non-ok http status code can contain a body. So we should close the body of a (on transport layer) sucessful request unconditionally. Otherwise we can leak a http connection.
diff --git a/cmd/csaf_downloader/downloader.go b/cmd/csaf_downloader/downloader.go
@@ -361,6 +361,7 @@ func (d *Downloader) loadOpenPGPKeys(
 			continue
 		}
 		if res.StatusCode != http.StatusOK {
+			res.Body.Close()
 			slog.Warn(
 				"Fetching public OpenPGP key failed",
 				"url", u,
diff --git a/cmd/csaf_downloader/forwarder.go b/cmd/csaf_downloader/forwarder.go
@@ -259,8 +259,8 @@ func (f *Forwarder) forward(
 			f.storeFailed(filename, doc, sha256, sha512)
 			return
 		}
+		defer res.Body.Close()
 		if res.StatusCode != http.StatusCreated {
-			defer res.Body.Close()
 			if msg, err := limitedString(res.Body, 512); err != nil {
 				slog.Error("reading forward result failed",
 					"error", err)
diff --git a/csaf/advisories.go b/csaf/advisories.go
@@ -230,6 +230,7 @@ func (afp *AdvisoryFileProcessor) loadChanges(
 	if err != nil {
 		return nil, errs.ErrNetwork{Message: fmt.Sprintf("failed get request for url %s: %v", changesURL, err)}
 	}
+	defer resp.Body.Close()
 
 	if resp.StatusCode != http.StatusOK {
 		switch { // we don't expect 401 and 403, as directory based feeds are supposed to be public, but just to be on the safe side
@@ -247,7 +248,6 @@ func (afp *AdvisoryFileProcessor) loadChanges(
 		}
 	}
 
-	defer resp.Body.Close()
 	var files []AdvisoryFile
 	c := csv.NewReader(resp.Body)
 	// format specification:
@@ -331,6 +331,7 @@ func (afp *AdvisoryFileProcessor) processROLIE(
 			continue
 		}
 		if res.StatusCode != http.StatusOK {
+			res.Body.Close()
 			slog.Error("Fetching failed",
 				"url", feedURL, "status_code", res.StatusCode, "status", res.Status)
 			switch {
diff --git a/csaf/providermetaloader.go b/csaf/providermetaloader.go
@@ -248,6 +248,7 @@ func (pmdl *ProviderMetadataLoader) loadFromSecurity(domain string) []*LoadedPro
 			continue
 		}
 		if res.StatusCode != http.StatusOK {
+			res.Body.Close()
 			pmdl.messages.Add(
 				HTTPFailed,
 				fmt.Sprintf("Fetching %q failed: %s (%d)", path, res.Status, res.StatusCode))
@@ -305,6 +306,7 @@ func (pmdl *ProviderMetadataLoader) loadFromURL(path string) *LoadedProviderMeta
 		return &result
 	}
 	if res.StatusCode != http.StatusOK {
+		defer res.Body.Close()
 		result.Messages.Add(
 			HTTPFailed,
 			fmt.Sprintf("fetching %q failed: %s (%d)", path, res.Status, res.StatusCode))
diff --git a/csaf/remotevalidation.go b/csaf/remotevalidation.go
@@ -300,6 +300,7 @@ func (v *remoteValidator) Validate(doc any) (*RemoteValidationResult, error) {
 	if err != nil {
 		return nil, err
 	}
+	defer resp.Body.Close()
 
 	if resp.StatusCode != http.StatusOK {
 		return nil, fmt.Errorf(
@@ -312,7 +313,6 @@ func (v *remoteValidator) Validate(doc any) (*RemoteValidationResult, error) {
 	)
 
 	if err := func() error {
-		defer resp.Body.Close()
 		var in io.Reader
 		// If we are caching record the incoming data and compress it.
 		if key != nil {

Original file line number	Diff line number	Diff line change
`@@ -361,6 +361,7 @@ func (d *Downloader) loadOpenPGPKeys(`
`361`	`361`	`continue`
`362`	`362`	`}`
`363`	`363`	`if res.StatusCode != http.StatusOK {`
	`364`	`+ res.Body.Close()`
`364`	`365`	`slog.Warn(`
`365`	`366`	`"Fetching public OpenPGP key failed",`
`366`	`367`	`"url", u,`
Original file line number	Diff line number	Diff line change
`@@ -230,6 +230,7 @@ func (afp *AdvisoryFileProcessor) loadChanges(`
`230`	`230`	`if err != nil {`
`231`	`231`	`return nil, errs.ErrNetwork{Message: fmt.Sprintf("failed get request for url %s: %v", changesURL, err)}`
`232`	`232`	`}`
	`233`	`+ defer resp.Body.Close()`
`233`	`234`
`234`	`235`	`if resp.StatusCode != http.StatusOK {`
`235`	`236`	`switch { // we don't expect 401 and 403, as directory based feeds are supposed to be public, but just to be on the safe side`
`@@ -247,7 +248,6 @@ func (afp *AdvisoryFileProcessor) loadChanges(`
`247`	`248`	`}`
`248`	`249`	`}`
`249`	`250`
`250`		`- defer resp.Body.Close()`
`251`	`251`	`var files []AdvisoryFile`
`252`	`252`	`c := csv.NewReader(resp.Body)`
`253`	`253`	`// format specification:`
`@@ -331,6 +331,7 @@ func (afp *AdvisoryFileProcessor) processROLIE(`
`331`	`331`	`continue`
`332`	`332`	`}`
`333`	`333`	`if res.StatusCode != http.StatusOK {`
	`334`	`+ res.Body.Close()`
`334`	`335`	`slog.Error("Fetching failed",`
`335`	`336`	`"url", feedURL, "status_code", res.StatusCode, "status", res.Status)`
`336`	`337`	`switch {`
Original file line number	Diff line number	Diff line change
`@@ -300,6 +300,7 @@ func (v remoteValidator) Validate(doc any) (RemoteValidationResult, error) {`
`300`	`300`	`if err != nil {`
`301`	`301`	`return nil, err`
`302`	`302`	`}`
	`303`	`+ defer resp.Body.Close()`
`303`	`304`
`304`	`305`	`if resp.StatusCode != http.StatusOK {`
`305`	`306`	`return nil, fmt.Errorf(`
`@@ -312,7 +313,6 @@ func (v remoteValidator) Validate(doc any) (RemoteValidationResult, error) {`
`312`	`313`	`)`
`313`	`314`
`314`	`315`	`if err := func() error {`
`315`		`- defer resp.Body.Close()`
`316`	`316`	`var in io.Reader`
`317`	`317`	`// If we are caching record the incoming data and compress it.`
`318`	`318`	`if key != nil {`