Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix several render issues highlighted during fuzzing #14986

Merged
merged 12 commits into from
Mar 15, 2021
Merged

Fix several render issues highlighted during fuzzing #14986

merged 12 commits into from
Mar 15, 2021

Conversation

zeripath
Copy link
Contributor

@zeripath zeripath commented Mar 13, 2021
edited
Loading

  • Fix an issue with panics related to attributes
  • Wrap goldmark render in a recovery function
  • Reduce memory use in render emoji
  • Use a pipe for rendering goldmark - still needs more work and a limiter

Signed-off-by: Andrew Thornton art27@cantab.net

@zeripath
Fix several clusterfuzz related issues
3816d01 
* Fix an issue with panics related to attributes
* Wrap goldmark render in a recovery function
* Reduce memory use in render emoji

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath added this to the 1.14.0 milestone Mar 13, 2021
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Mar 13, 2021
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Mar 14, 2021
@zeripath
use a pipe when rendering from goldmark
3341991 
Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath
Merge branch 'fuzz-fixes-part-1' of github.com:zeripath/gitea into fu…
bd6b561 
…zz-fixes-part-1
@zeripath
prevent panic in goroutine
2d504d7 
Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath
Merge branch 'master' into fuzz-fixes-part-1
f000ece
@zeripath
fix lint
015daa0 
Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath
Add limit writer to renderer
3fe48d8 
Signed-off-by: Andrew Thornton <art27@cantab.net>
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Mar 15, 2021
@6543 6543 merged commit ed31ddc into go-gitea:master Mar 15, 2021
@6543 6543 mentioned this pull request Mar 15, 2021
Merged
1 task
@zeripath zeripath added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Mar 16, 2021
@zeripath zeripath deleted the fuzz-fixes-part-1 branch March 16, 2021 09:30
@zeripath zeripath changed the title Fix several render issues Fix several render issues highlighted during fuzzing Mar 16, 2021
@zeripath
Copy link
Contributor Author

Further details as to the security fixes related to this PR are not prudent to disclose at present - interested parties can discuss with the maintainers on discord.

zeripath added a commit to zeripath/gitea that referenced this pull request Mar 16, 2021
@zeripath @lafriks
Fix several render issues (go-gitea#14986)
f24a6ac 
Backport go-gitea#14986

* Fix an issue with panics related to attributes
* Wrap goldmark render in a recovery function
* Reduce memory use in render emoji
* Use a pipe for rendering goldmark - still needs more work and a limiter

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Lauris BH <lauris@nix.lv>
@zeripath zeripath mentioned this pull request Mar 16, 2021
Merged
lafriks added a commit that referenced this pull request Mar 17, 2021
@zeripath @lafriks
Fix several render issues (#14986) (#15013)
8c461eb 
Backport #14986

* Fix an issue with panics related to attributes
* Wrap goldmark render in a recovery function
* Reduce memory use in render emoji
* Use a pipe for rendering goldmark - still needs more work and a limiter

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Lauris BH <lauris@nix.lv>
@go-gitea go-gitea locked and limited conversation to collaborators May 13, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@lunny lunny lunny approved these changes

@lafriks lafriks lafriks approved these changes

@6543 6543 6543 approved these changes

Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug
Projects
None yet
Milestone
1.14.0
Development

Successfully merging this pull request may close these issues.
5 participants
@zeripath @lunny @lafriks @6543 @GiteaBot