Fix resource leak if HTTP fetch fails

If the HTTP fetch failed, the io.Pipe created to pass the response body to the goroutines that compute the SHA256 hash and verify the signature would be leaked.

Fix resource leak if HTTP fetch fails
a31f6395 · Bob Callaway · a43e0505 · a31f6395 · a31f6395
Commit a31f6395 authored 4 years ago by Bob Callaway
--- a/go.sum
+++ b/go.sum
@@ -664,6 +664,7 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e h1:vcxGaoTs7kV8m5Np9uUNQin4
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a h1:WXEvlFVvvGxCJLG6REjsT03iWnKLEWinaScsxF2Vm2o=
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9 h1:SQFwaSi55rU7vdNs9Yr0Z324VNlrF+0wMqRXT4St8ck=
 golang.org/x/sys v0.0.0-20171026204733-164713f0dfce/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=

--- a/pkg/types/types.go
+++ b/pkg/types/types.go
@@ -131,9 +131,6 @@ func ParseRekorEntry(r io.Reader, leaf RekorLeaf) (*RekorEntry, error) {

 func (r *RekorEntry) Load(ctx context.Context) error {

-	hashR, hashW := io.Pipe()
-	sigR, sigW := io.Pipe()
-
 	if err := r.ValidateLeaf(); err != nil {
 		return err
 	}
@@ -145,6 +142,9 @@ func (r *RekorEntry) Load(ctx context.Context) error {
 		if err != nil {
 			return err
 		}
+		if resp.StatusCode < 200 || resp.StatusCode > 299 {
+			return fmt.Errorf("Error received while fetching artifact: %v", resp.Status)
+		}
 		defer resp.Body.Close()

 		// read first 512 bytes to determine if content is gzip compressed
@@ -165,6 +165,11 @@ func (r *RekorEntry) Load(ctx context.Context) error {

 	g, ctx := errgroup.WithContext(ctx)

+	hashR, hashW := io.Pipe()
+	sigR, sigW := io.Pipe()
+	defer hashR.Close()
+	defer sigR.Close()
+
 	g.Go(func() error {
 		defer hashW.Close()
 		defer sigW.Close()
@@ -179,9 +184,7 @@ func (r *RekorEntry) Load(ctx context.Context) error {
 	hashResult := make(chan string)

 	g.Go(func() error {
-		defer hashR.Close()
 		defer close(hashResult)
-
 		hasher := sha256.New()

 		if _, err := io.Copy(hasher, hashR); err != nil {
@@ -202,8 +205,6 @@ func (r *RekorEntry) Load(ctx context.Context) error {
 	})

 	g.Go(func() error {
-		defer sigR.Close()
-
 		if err := r.sigObject.Verify(sigR, r.keyObject); err != nil {
 			return err
 		}