odeke-em
Repos
207
Followers
608
Following
44

Events

pull request opened
fix: runtime: fix (*App).RegisterMoodules inconsistency in checking/m…

…emoizing appModule

Fixes an inconsistency in checking for duplicates in ModuleManager's Modules[name] then also basicManager[name] in which memoization could happen for .Module[name] but fail after a duplicate check in basicManager[name]. This change instead only memoizes the AppModule after the duplicate checks have all cleared.

Fixes #14006

Created at 15 hours ago
create branch
odeke-em create branch runtime-fix-RegisterModules-inconsistency-in-memoizing
Created at 15 hours ago
started
Created at 1 day ago
started
Created at 1 day ago
started
Created at 1 day ago
delete branch
odeke-em delete branch cmd-cosign-cli-close-files-before-deletion
Created at 1 day ago
opened issue
extras: run gosec on found roots so as to minimize gosec false positives

Requested offline by @ebuchman, it would interesting that for identified state diffed roots and changes, also pass them into gosec which then will run for only those code sections.

Created at 1 day ago

refactor: x/nft audit changes (#14055)

Description

ref: #13991


Author Checklist

All items are required. Please add a note to the item if the item is not applicable and please add links to any relevant follow up issues.

I have...

  • [ ] included the correct type prefix in the PR title
  • [ ] added ! to the type prefix if API or client breaking change
  • [ ] targeted the correct branch (see PR Targeting)
  • [ ] provided a link to the relevant issue or specification
  • [ ] followed the guidelines for building modules
  • [ ] included the necessary unit and integration tests
  • [ ] added a changelog entry to CHANGELOG.md
  • [ ] included comments for documenting Go code
  • [ ] updated the relevant documentation or specification
  • [ ] reviewed "Files changed" and left comments if necessary
  • [ ] confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add your handle next to the items reviewed if you only reviewed selected items.

I have...

  • [ ] confirmed the correct type prefix in the PR title
  • [ ] confirmed ! in the type prefix if API or client breaking change
  • [ ] confirmed all author checklist items have been addressed
  • [ ] reviewed state machine logic
  • [ ] reviewed API design and naming
  • [ ] reviewed documentation is accurate
  • [ ] reviewed tests and test coverage
  • [ ] manually tested (if applicable)

chore: (x/feegrant) add missing test scenarios (#14018)

  • add missing test scenarios

  • review changes

fix: fix issues found by sonarcloud (#14081)

Co-authored-by: Marko marbar3778@yahoo.com

fix(group)!: Don't re-tally proposals after VP end (#14071)

chore: (x/mint) improve code cov (#14066)

Description

missed the test coverage in last audit. ref: #13988 #13456


Author Checklist

All items are required. Please add a note to the item if the item is not applicable and please add links to any relevant follow up issues.

I have...

  • [ ] included the correct type prefix in the PR title
  • [ ] added ! to the type prefix if API or client breaking change
  • [ ] targeted the correct branch (see PR Targeting)
  • [ ] provided a link to the relevant issue or specification
  • [ ] followed the guidelines for building modules
  • [ ] included the necessary unit and integration tests
  • [ ] added a changelog entry to CHANGELOG.md
  • [ ] included comments for documenting Go code
  • [ ] updated the relevant documentation or specification
  • [ ] reviewed "Files changed" and left comments if necessary
  • [ ] confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add your handle next to the items reviewed if you only reviewed selected items.

I have...

  • [ ] confirmed the correct type prefix in the PR title
  • [ ] confirmed ! in the type prefix if API or client breaking change
  • [ ] confirmed all author checklist items have been addressed
  • [ ] reviewed state machine logic
  • [ ] reviewed API design and naming
  • [ ] reviewed documentation is accurate
  • [ ] reviewed tests and test coverage
  • [ ] manually tested (if applicable)

Merge branch 'main' into JeancarloBarrios/add-bounded-mempool

Created at 2 days ago

cmd/cosign/cli: invoke tempFile.Close before deletioon

Fixes potential file leaks before invoking os.Remove, a condition in which an attacker who in another process on Windows could finagle a handle to the open file handles could have them open and then even prevent os.Remove from deleting the files.

Found as part of Orijtech Inc's supply chain analysis program for the Cosmos Network/ecosystem.

Fixes #2495

Signed-off-by: Emmanuel T Odeke emmanuel@orijtech.com

Created at 2 days ago
pull request opened
cmd/cosign/cli: invoke tempFile.Close before deletioon

Fixes potential file leaks before invoking os.Remove, a condition in which an attacker who in another process on Windows could finagle a handle to the open file handles could have them open and then even prevent os.Remove from deleting the files.

Found as part of Orijtech Inc's supply chain analysis program for the Cosmos Network/ecosystem.

Fixes #2495

Created at 2 days ago
create branch
odeke-em create branch cmd-cosign-cli-close-files-before-deletion
Created at 2 days ago
opened issue
cmd/cosign/cli: some files aren't closed before they are deleted

Description

I ran one of Orijtech Inc's tools, staticmajor on this repo and it reported

$ staticmajor -resleak=true -resleak.fuzzy=true ./...
/Users/emmanuelodeke/go/src/github.com/sigstore/cosign/cmd/cosign/cli/policy_init.go:144:35: leaking resource
/Users/emmanuelodeke/go/src/github.com/sigstore/cosign/cmd/cosign/cli/policy_init.go:307:35: leaking resource

with credible reports https://github.com/sigstore/cosign/blob/8d2a1a6e16f0375c05314481206cc591c51c041e/cmd/cosign/cli/policy_init.go#L144-L150\

and

https://github.com/sigstore/cosign/blob/8d2a1a6e16f0375c05314481206cc591c51c041e/cmd/cosign/cli/policy_init.go#L307-L312

for which there are credible leaks that could even be used to prevent a file deletion if one finagled that file handle to the process in the time before the defer os.Remove(tempFile.Name()) was invoked say on Windows

Version At commit 8d2a1a6e16f0375c05314481206cc591c51c041e

Remedy Invoke tempFile.Close() before os.Remove(tempFile.Name()) per

diff --git a/cmd/cosign/cli/policy_init.go b/cmd/cosign/cli/policy_init.go
index 1f4be09c..b05b6dd7 100644
--- a/cmd/cosign/cli/policy_init.go
+++ b/cmd/cosign/cli/policy_init.go
@@ -146,7 +146,10 @@ func initPolicy() *cobra.Command {
 					return err
 				}
 				outfile = tempFile.Name()
-				defer os.Remove(tempFile.Name())
+				defer func() {
+					tempFile.Close()
+					os.Remove(tempFile.Name())
+				}()
 			}
 
 			files := []cremote.File{
@@ -309,7 +312,10 @@ func signPolicy() *cobra.Command {
 					return err
 				}
 				outfile = tempFile.Name()
-				defer os.Remove(tempFile.Name())
+				defer func() {
+					tempFile.Close()
+					os.Remove(tempFile.Name())
+				}()
 			}
 
 			files := []cremote.File{

/cc @elias-orijtech

Created at 2 days ago