Merge pull request kubernetes#88695 from gavinfish/unsafe-json

k8s-ci-robot · web-flow · commit 5b3fe0564d27 · 2020-06-01T10:27:56.000-07:00
Fix unsafe json construction for scale.go and codec_check.go
diff --git a/staging/src/k8s.io/apimachinery/pkg/runtime/codec_check.go b/staging/src/k8s.io/apimachinery/pkg/runtime/codec_check.go
@@ -21,6 +21,7 @@ import (
 	"reflect"
 
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/json"
 )
 
 // CheckCodec makes sure that the codec can encode objects like internalType,
@@ -32,7 +33,14 @@ func CheckCodec(c Codec, internalType Object, externalTypes ...schema.GroupVersi
 		return fmt.Errorf("Internal type not encodable: %v", err)
 	}
 	for _, et := range externalTypes {
-		exBytes := []byte(fmt.Sprintf(`{"kind":"%v","apiVersion":"%v"}`, et.Kind, et.GroupVersion().String()))
+		typeMeta := TypeMeta{
+			Kind:       et.Kind,
+			APIVersion: et.GroupVersion().String(),
+		}
+		exBytes, err := json.Marshal(&typeMeta)
+		if err != nil {
+			return err
+		}
 		obj, err := Decode(c, exBytes)
 		if err != nil {
 			return fmt.Errorf("external type %s not interpretable: %v", et, err)
diff --git a/staging/src/k8s.io/kubectl/pkg/scale/BUILD b/staging/src/k8s.io/kubectl/pkg/scale/BUILD
@@ -12,6 +12,7 @@ go_library(
         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/util/json:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library",
         "//staging/src/k8s.io/client-go/scale:go_default_library",
     ],
diff --git a/staging/src/k8s.io/kubectl/pkg/scale/scale.go b/staging/src/k8s.io/kubectl/pkg/scale/scale.go
@@ -27,6 +27,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/json"
 	"k8s.io/apimachinery/pkg/util/wait"
 	scaleclient "k8s.io/client-go/scale"
 )
@@ -136,7 +137,21 @@ func (s *genericScaler) ScaleSimple(namespace, name string, preconditions *Scale
 		return updatedScale.ResourceVersion, nil
 	}
 
-	patch := []byte(fmt.Sprintf(`{"spec":{"replicas":%d}}`, newSize))
+	// objectForReplicas is used for encoding scale patch
+	type objectForReplicas struct {
+		Replicas uint `json:"replicas"`
+	}
+	// objectForSpec is used for encoding scale patch
+	type objectForSpec struct {
+		Spec objectForReplicas `json:"spec"`
+	}
+	spec := objectForSpec{
+		Spec: objectForReplicas{Replicas: newSize},
+	}
+	patch, err := json.Marshal(&spec)
+	if err != nil {
+		return "", err
+	}
 	patchOptions := metav1.PatchOptions{}
 	if dryRun {
 		patchOptions.DryRun = []string{metav1.DryRunAll}
