Skip to content

Commit 912313c

Browse files
petermattispetermattis
authored
use status.Error instead of status.Errorf (#397)
Use `status.Error` instead of `status.Errorf` when the format string is non-constant and not actually a format string. In the case of the validator middleware, the error being supplied as a format string could potentially contain data supplied by an attacker allowing for format string injection. This doesn't appear to be an actual problem due to `fmt` being safe in this regards, but it certainly isn't good practice to provide a format string that an attacker can control. Fixes #396
1 parent fab13c2 commit 912313c

File tree

2 files changed

+9
-7
lines changed

2 files changed

+9
-7
lines changed

retry/retry.go

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -236,7 +236,9 @@ func (s *serverStreamingRetryingStream) receiveMsgAndIndicateRetry(m interface{}
236236
return isRetriable(err, s.callOpts), err
237237
}
238238

239-
func (s *serverStreamingRetryingStream) reestablishStreamAndResendBuffer(callCtx context.Context) (grpc.ClientStream, error) {
239+
func (s *serverStreamingRetryingStream) reestablishStreamAndResendBuffer(
240+
callCtx context.Context,
241+
) (grpc.ClientStream, error) {
240242
s.mu.RLock()
241243
bufferedSends := s.bufferedSends
242244
s.mu.RUnlock()
@@ -310,11 +312,11 @@ func perCallContext(parentCtx context.Context, callOpts *options, attempt uint)
310312
func contextErrToGrpcErr(err error) error {
311313
switch err {
312314
case context.DeadlineExceeded:
313-
return status.Errorf(codes.DeadlineExceeded, err.Error())
315+
return status.Error(codes.DeadlineExceeded, err.Error())
314316
case context.Canceled:
315-
return status.Errorf(codes.Canceled, err.Error())
317+
return status.Error(codes.Canceled, err.Error())
316318
default:
317-
return status.Errorf(codes.Unknown, err.Error())
319+
return status.Error(codes.Unknown, err.Error())
318320
}
319321
}
320322

validator/validator.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ func UnaryServerInterceptor() grpc.UnaryServerInterceptor {
2222
return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
2323
if v, ok := req.(validator); ok {
2424
if err := v.Validate(); err != nil {
25-
return nil, status.Errorf(codes.InvalidArgument, err.Error())
25+
return nil, status.Error(codes.InvalidArgument, err.Error())
2626
}
2727
}
2828
return handler(ctx, req)
@@ -36,7 +36,7 @@ func UnaryClientInterceptor() grpc.UnaryClientInterceptor {
3636
return func(ctx context.Context, method string, req, reply interface{}, cc *grpc.ClientConn, invoker grpc.UnaryInvoker, opts ...grpc.CallOption) error {
3737
if v, ok := req.(validator); ok {
3838
if err := v.Validate(); err != nil {
39-
return status.Errorf(codes.InvalidArgument, err.Error())
39+
return status.Error(codes.InvalidArgument, err.Error())
4040
}
4141
}
4242
return invoker(ctx, method, req, reply, cc, opts...)
@@ -66,7 +66,7 @@ func (s *recvWrapper) RecvMsg(m interface{}) error {
6666
}
6767
if v, ok := m.(validator); ok {
6868
if err := v.Validate(); err != nil {
69-
return status.Errorf(codes.InvalidArgument, err.Error())
69+
return status.Error(codes.InvalidArgument, err.Error())
7070
}
7171
}
7272
return nil

0 commit comments

Comments
 (0)