CVE 2021 3538 fix (#1441)

* using gofrs library for UUID creation * fixing import order in go.mod * adding error handlers * import order and go lint fixes * fixing go.sum * lint fix
kanisterio · May 23, 2022 · cdd8f8d · cdd8f8d
1 parent 81e3e16
commit cdd8f8d
Show file tree

Hide file tree

Showing 8 changed files with 80 additions and 29 deletions.
diff --git a/go.mod b/go.mod
@@ -23,6 +23,7 @@ require (
 	github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32
 	github.com/go-openapi/strfmt v0.19.3
 	github.com/go-sql-driver/mysql v1.6.0
+	github.com/gofrs/uuid v4.2.0+incompatible
 	github.com/golang/mock v1.6.0
 	github.com/google/uuid v1.3.0
 	github.com/graymeta/stow v0.0.0-00010101000000-000000000000
@@ -40,7 +41,6 @@ require (
 	github.com/openshift/client-go v0.0.0-20200521150516-05eb9880269c
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.12.1
-	github.com/satori/go.uuid v1.2.0
 	github.com/sirupsen/logrus v1.8.1
 	github.com/spf13/cobra v1.4.0
 	github.com/vmware/govmomi v0.27.4
@@ -104,7 +104,6 @@ require (
 	github.com/go-openapi/jsonreference v0.19.5 // indirect
 	github.com/go-openapi/swag v0.19.14 // indirect
 	github.com/go-stack/stack v1.8.0 // indirect
-	github.com/gofrs/uuid v4.0.0+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.4.1 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect

diff --git a/go.sum b/go.sum
@@ -398,8 +398,8 @@ github.com/gobwas/ws v1.1.0/go.mod h1:nzvNcVha5eUziGrbxFCo6qFIojQHjJV5cLYIbezhfL
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
-github.com/gofrs/uuid v4.0.0+incompatible h1:1SD/1F5pU8p29ybwgQSwpQk+mwdRrXCYuPhW6m+TnJw=
-github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
+github.com/gofrs/uuid v4.2.0+incompatible h1:yyYWMnhkhrKwwr8gAOcOCYxOOscHgDS9yZgBrnJfGa0=
+github.com/gofrs/uuid v4.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFGgqEef3s=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
@@ -873,7 +873,6 @@ github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQD
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E=
 github.com/sanity-io/litter v1.5.4/go.mod h1:9gzJgR2i4ZpjZHsKvUXIRQVk7P+yM3e+jAF7bU2UI5U=
-github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=
 github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
 github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=

diff --git a/pkg/blockstorage/awsefs/awsefs.go b/pkg/blockstorage/awsefs/awsefs.go
@@ -24,8 +24,8 @@ import (
 	"github.com/aws/aws-sdk-go/service/backup"
 	awsefs "github.com/aws/aws-sdk-go/service/efs"
 	"github.com/aws/aws-sdk-go/service/sts"
+	uuid "github.com/gofrs/uuid"
 	"github.com/pkg/errors"
-	uuid "github.com/satori/go.uuid"
 	"k8s.io/apimachinery/pkg/util/rand"
 
 	awsconfig "github.com/kanisterio/kanister/pkg/aws"
@@ -112,7 +112,11 @@ func (e *Efs) Type() blockstorage.Type {
 // volume info that is sent back from the AWS EFS.
 func (e *Efs) VolumeCreate(ctx context.Context, volume blockstorage.Volume) (*blockstorage.Volume, error) {
 	req := &awsefs.CreateFileSystemInput{}
-	req.SetCreationToken(uuid.NewV4().String())
+	reqId, err := uuid.NewV4()
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to create UUID")
+	}
+	req.SetCreationToken(reqId.String())
 	req.SetPerformanceMode(defaultPerformanceMode)
 	req.SetThroughputMode(defaultThroughputMode)
 	req.SetTags(convertToEFSTags(blockstorage.KeyValueToMap(volume.Tags)))

diff --git a/pkg/blockstorage/azure/azuredisk.go b/pkg/blockstorage/azure/azuredisk.go
@@ -12,8 +12,8 @@ import (
 	azcompute "github.com/Azure/azure-sdk-for-go/services/compute/mgmt/2019-03-01/compute"
 	"github.com/Azure/azure-sdk-for-go/storage"
 	azto "github.com/Azure/go-autorest/autorest/to"
+	uuid "github.com/gofrs/uuid"
 	"github.com/pkg/errors"
-	uuid "github.com/satori/go.uuid"
 
 	"github.com/kanisterio/kanister/pkg/blockstorage"
 	ktags "github.com/kanisterio/kanister/pkg/blockstorage/tags"
@@ -68,7 +68,11 @@ func (s *AdStorage) VolumeGet(ctx context.Context, id string, zone string) (*blo
 
 func (s *AdStorage) VolumeCreate(ctx context.Context, volume blockstorage.Volume) (*blockstorage.Volume, error) {
 	tags := blockstorage.SanitizeTags(blockstorage.KeyValueToMap(volume.Tags))
-	diskName := fmt.Sprintf(volumeNameFmt, uuid.NewV1().String())
+	diskId, err := uuid.NewV1()
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to create UUID")
+	}
+	diskName := fmt.Sprintf(volumeNameFmt, diskId.String())
 	diskProperties := &azcompute.DiskProperties{
 		DiskSizeGB: azto.Int32Ptr(int32(blockstorage.SizeInGi(volume.SizeInBytes))),
 		CreationData: &azcompute.CreationData{
@@ -128,10 +132,11 @@ func (s *AdStorage) SnapshotCopy(ctx context.Context, from blockstorage.Snapshot
 // SnapshotCopyWithArgs func: args map should contain non-empty StorageAccountName(AZURE_MIGRATE_STORAGE_ACCOUNT_NAME)
 // and StorageKey(AZURE_MIGRATE_STORAGE_ACCOUNT_KEY)
 // A destination ResourceGroup (AZURE_MIGRATE_RESOURCE_GROUP) can be provided. The created snapshot will belong to this.
-func (s *AdStorage) SnapshotCopyWithArgs(ctx context.Context, from blockstorage.Snapshot, to blockstorage.Snapshot, args map[string]string) (*blockstorage.Snapshot, error) {
+func (s *AdStorage) SnapshotCopyWithArgs(ctx context.Context, from blockstorage.Snapshot,
+	to blockstorage.Snapshot, args map[string]string) (*blockstorage.Snapshot, error) {
 	migrateStorageAccount := args[blockstorage.AzureMigrateStorageAccount]
 	migrateStorageKey := args[blockstorage.AzureMigrateStorageKey]
-	if migrateStorageAccount == "" || migrateStorageKey == "" {
+	if isMigrateStorageAccountorKey(migrateStorageAccount, migrateStorageKey) {
 		return nil, errors.Errorf("Required args %s and %s  for snapshot copy not available", blockstorage.AzureMigrateStorageAccount, blockstorage.AzureMigrateStorageKey)
 	}
 
@@ -206,7 +211,11 @@ func (s *AdStorage) SnapshotCopyWithArgs(ctx context.Context, from blockstorage.
 	}
 	blobURI := blob.GetURL()
 
-	snapName := fmt.Sprintf(snapshotNameFmt, uuid.NewV1().String())
+	snapId, err := uuid.NewV1()
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to create UUID")
+	}
+	snapName := fmt.Sprintf(snapshotNameFmt, snapId.String())
 	var tags = make(map[string]string)
 	for _, tag := range from.Volume.Tags {
 		if _, found := tags[tag.Key]; !found {
@@ -253,6 +262,10 @@ func (s *AdStorage) SnapshotCopyWithArgs(ctx context.Context, from blockstorage.
 	return snap, nil
 }
 
+func isMigrateStorageAccountorKey(migrateStorageAccount, migrateStorageKey string) bool {
+	return migrateStorageAccount == "" || migrateStorageKey == ""
+}
+
 func (s *AdStorage) revokeAccess(ctx context.Context, rg, name, ID string) {
 	_, err := s.azCli.SnapshotsClient.RevokeAccess(ctx, rg, name)
 	if err != nil {
@@ -268,7 +281,11 @@ func deleteBlob(blob *storage.Blob, blobName string) {
 }
 
 func (s *AdStorage) SnapshotCreate(ctx context.Context, volume blockstorage.Volume, tags map[string]string) (*blockstorage.Snapshot, error) {
-	snapName := fmt.Sprintf(snapshotNameFmt, uuid.NewV1().String())
+	snapId, err := uuid.NewV1()
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to create UUID")
+	}
+	snapName := fmt.Sprintf(snapshotNameFmt, snapId.String())
 	tags = blockstorage.SanitizeTags(ktags.GetTags(tags))
 	region, _, err := getLocationInfo(volume.Az)
 	if err != nil {
@@ -482,7 +499,11 @@ func (s *AdStorage) VolumeCreateFromSnapshot(ctx context.Context, snapshot block
 		return nil, err
 	}
 
-	diskName := fmt.Sprintf(volumeNameFmt, uuid.NewV1().String())
+	diskId, err := uuid.NewV1()
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to create UUID")
+	}
+	diskName := fmt.Sprintf(volumeNameFmt, diskId.String())
 	tags = blockstorage.SanitizeTags(tags)
 	createDisk := azcompute.Disk{
 		Name:     azto.StringPtr(diskName),

diff --git a/pkg/blockstorage/gcepd/gcepd.go b/pkg/blockstorage/gcepd/gcepd.go
@@ -24,9 +24,9 @@ import (
 	"strings"
 	"time"
 
+	uuid "github.com/gofrs/uuid"
 	"github.com/jpillora/backoff"
 	"github.com/pkg/errors"
-	uuid "github.com/satori/go.uuid"
 	compute "google.golang.org/api/compute/v1"
 	"google.golang.org/api/googleapi"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -108,8 +108,12 @@ func (s *GpdStorage) VolumeCreate(ctx context.Context, volume blockstorage.Volum
 	}
 	tags = blockstorage.SanitizeTags(ktags.GetTags(tags))
 
+	id, err := uuid.NewV1()
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to create UUID")
+	}
 	createDisk := &compute.Disk{
-		Name:   fmt.Sprintf(volumeNameFmt, uuid.NewV1().String()),
+		Name:   fmt.Sprintf(volumeNameFmt, id.String()),
 		SizeGb: blockstorage.SizeInGi(volume.SizeInBytes),
 		Type:   volume.VolumeType,
 		Labels: tags,
@@ -179,8 +183,12 @@ func (s *GpdStorage) SnapshotCopyWithArgs(ctx context.Context, from blockstorage
 
 // SnapshotCreate is part of blockstorage.Provider
 func (s *GpdStorage) SnapshotCreate(ctx context.Context, volume blockstorage.Volume, tags map[string]string) (*blockstorage.Snapshot, error) {
+	rbId, uerr := uuid.NewV1()
+	if uerr != nil {
+		return nil, errors.Wrap(uerr, "Failed to create UUID")
+	}
 	rb := &compute.Snapshot{
-		Name:   fmt.Sprintf(snapshotNameFmt, uuid.NewV1().String()),
+		Name:   fmt.Sprintf(snapshotNameFmt, rbId.String()),
 		Labels: blockstorage.SanitizeTags(ktags.GetTags(tags)),
 	}
 	var err error
@@ -369,8 +377,12 @@ func (s *GpdStorage) VolumeCreateFromSnapshot(ctx context.Context, snapshot bloc
 			tags[tag.Key] = tag.Value
 		}
 	}
+	createDiskId, err := uuid.NewV1()
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to create UUID")
+	}
 	createDisk := &compute.Disk{
-		Name:           fmt.Sprintf(volumeNameFmt, uuid.NewV1().String()),
+		Name:           fmt.Sprintf(volumeNameFmt, createDiskId.String()),
 		SizeGb:         blockstorage.SizeInGi(snapshot.Volume.SizeInBytes),
 		Type:           snapshot.Volume.VolumeType,
 		Labels:         blockstorage.SanitizeTags(ktags.GetTags(tags)),

diff --git a/pkg/blockstorage/vmware/vmware.go b/pkg/blockstorage/vmware/vmware.go
@@ -10,8 +10,8 @@ import (
 	"strings"
 	"time"
 
+	uuid "github.com/gofrs/uuid"
 	"github.com/pkg/errors"
-	uuid "github.com/satori/go.uuid"
 	"github.com/vmware/govmomi/cns"
 	"github.com/vmware/govmomi/vapi/rest"
 	vapitags "github.com/vmware/govmomi/vapi/tags"
@@ -170,8 +170,11 @@ func (p *FcdProvider) VolumeCreateFromSnapshot(ctx context.Context, snapshot blo
 		return nil, errors.Wrap(err, "Failed to split snapshot full ID")
 	}
 	log.Debug().Print("CreateDiskFromSnapshot foo", field.M{"VolumeID": volID, "SnapshotID": snapshotID})
-	uid := uuid.NewV1().String()
-	task, err := p.Gom.CreateDiskFromSnapshot(ctx, vimID(volID), vimID(snapshotID), uid, nil, nil, "")
+	uid, err := uuid.NewV1()
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to create UUID")
+	}
+	task, err := p.Gom.CreateDiskFromSnapshot(ctx, vimID(volID), vimID(snapshotID), uid.String(), nil, nil, "")
 	if err != nil {
 		return nil, errors.Wrap(err, "Failed to create disk from snapshot")
 	}

diff --git a/pkg/testutil/mockblockstorage/mockblockstorage.go b/pkg/testutil/mockblockstorage/mockblockstorage.go
@@ -19,8 +19,8 @@ import (
 	"fmt"
 	"time"
 
+	uuid "github.com/gofrs/uuid"
 	"github.com/pkg/errors"
-	uuid "github.com/satori/go.uuid"
 
 	"github.com/kanisterio/kanister/pkg/blockstorage"
 	"github.com/kanisterio/kanister/pkg/blockstorage/getter"
@@ -55,17 +55,21 @@ func (*mockGetter) Get(storageType blockstorage.Type, config map[string]string)
 	case blockstorage.TypeEBS:
 		fallthrough
 	case blockstorage.TypeGPD:
-		return Get(storageType), nil
+		return Get(storageType)
 	default:
 		return nil, errors.New("Get failed")
 	}
 }
 
 // Get returns a mock storage provider
-func Get(storageType blockstorage.Type) *Provider {
+func Get(storageType blockstorage.Type) (*Provider, error) {
+	volumeUUID, err := uuid.NewV1()
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to create UUID")
+	}
 	volume := blockstorage.Volume{
 		Type:        storageType,
-		ID:          fmt.Sprintf("vol-%s", uuid.NewV1().String()),
+		ID:          fmt.Sprintf("vol-%s", volumeUUID.String()),
 		Az:          "AZ",
 		Encrypted:   false,
 		VolumeType:  "ssd",
@@ -78,9 +82,13 @@ func Get(storageType blockstorage.Type) *Provider {
 		CreationTime: blockstorage.TimeStamp(time.Time{}),
 	}
 	snapVol := volume
+	snapUUID, err := uuid.NewV1()
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to create UUID")
+	}
 	snapshot := blockstorage.Snapshot{
 		Type:        storageType,
-		ID:          fmt.Sprintf("snap-%s", uuid.NewV1().String()),
+		ID:          fmt.Sprintf("snap-%s", snapUUID.String()),
 		SizeInBytes: 1024,
 		Tags: []*blockstorage.KeyValue{
 			{Key: "kanister.io/jobid", Value: "unittest"},
@@ -97,7 +105,7 @@ func Get(storageType blockstorage.Type) *Provider {
 		SnapIDList:        make([]string, 0),
 		DeletedSnapIDList: make([]string, 0),
 		VolIDList:         make([]string, 0),
-	}
+	}, nil
 }
 
 // Type mock
@@ -112,9 +120,13 @@ func (p *Provider) VolumeCreate(context.Context, blockstorage.Volume) (*blocksto
 
 // VolumeCreateFromSnapshot mock
 func (p *Provider) VolumeCreateFromSnapshot(ctx context.Context, snapshot blockstorage.Snapshot, tags map[string]string) (*blockstorage.Volume, error) {
+	volUUID, err := uuid.NewV1()
+	if err != nil {
+		return nil, errors.Wrap(err, "Failed to create UUID")
+	}
 	vol := blockstorage.Volume{
 		Type:        snapshot.Type,
-		ID:          fmt.Sprintf("vol-%s", uuid.NewV1().String()),
+		ID:          fmt.Sprintf("vol-%s", volUUID.String()),
 		Az:          "AZ",
 		Encrypted:   false,
 		VolumeType:  "ssd",

diff --git a/pkg/testutil/mockblockstorage/mockblockstorage_test.go b/pkg/testutil/mockblockstorage/mockblockstorage_test.go
@@ -29,6 +29,7 @@ type MockSuite struct{}
 var _ = Suite(&MockSuite{})
 
 func (s *MockSuite) TestMockStorage(c *C) {
-	mock := Get(blockstorage.TypeEBS)
+	mock, err := Get(blockstorage.TypeEBS)
+	c.Assert(err, IsNil)
 	c.Assert(mock.Type(), Equals, blockstorage.TypeEBS)
 }