From d45ec38752d6c56fd4e5849edd8fcd4be896122c Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Mon, 2 Dec 2024 06:02:31 -0800 Subject: [PATCH] avoid leaks during zip download and multi-object downloads --- .github/workflows/jobs.yaml | 54 ++++++++++++++++---------------- .github/workflows/vulncheck.yaml | 4 +-- README.md | 14 --------- api/user_objects.go | 18 ++++++++--- go.mod | 6 ++-- web-app/playwright/jobs.yaml | 8 ++--- 6 files changed, 50 insertions(+), 54 deletions(-) diff --git a/.github/workflows/jobs.yaml b/.github/workflows/jobs.yaml index 82cf55945f..3b5389453b 100644 --- a/.github/workflows/jobs.yaml +++ b/.github/workflows/jobs.yaml @@ -22,7 +22,7 @@ jobs: runs-on: [ubuntu-latest] strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest] steps: - name: Check out code @@ -64,7 +64,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest] steps: - name: Check out code @@ -112,7 +112,7 @@ jobs: runs-on: [ubuntu-latest] strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] steps: # To build minio image, we need to clone the repository first - name: Clone github.com/minio/minio @@ -150,7 +150,7 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest] steps: - name: Check out code @@ -189,7 +189,7 @@ jobs: timeout-minutes: 10 strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest] steps: - name: Check out code @@ -243,7 +243,7 @@ jobs: timeout-minutes: 10 strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest] steps: - name: Check out code @@ -296,7 +296,7 @@ jobs: timeout-minutes: 10 strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest] steps: - name: Check out code @@ -348,7 +348,7 @@ jobs: timeout-minutes: 10 strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest] steps: - name: Check out code @@ -400,7 +400,7 @@ jobs: timeout-minutes: 15 strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest] steps: - name: Check out code @@ -448,7 +448,7 @@ jobs: runs-on: [ubuntu-latest] strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest] steps: - name: Check out code @@ -496,7 +496,7 @@ jobs: runs-on: [ubuntu-latest] strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest] steps: - name: Check out code @@ -544,7 +544,7 @@ jobs: runs-on: [ubuntu-latest] strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest] steps: - name: Check out code @@ -595,7 +595,7 @@ jobs: runs-on: [ubuntu-latest] strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest] steps: - name: Check out code @@ -648,7 +648,7 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest] steps: - name: Check out code @@ -683,7 +683,7 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest] steps: - name: Check out code @@ -720,7 +720,7 @@ jobs: strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] steps: - name: Check out code @@ -817,7 +817,7 @@ jobs: strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] steps: - name: Check out code @@ -867,7 +867,7 @@ jobs: echo "replace github.com/minio/console => ../" >> go.mod echo "updates to go.mod needed; to update it: go mod tidy" - go mod tidy -compat=1.22 + go mod tidy -compat=1.23 echo "Get git version to build MinIO Image"; VERSION=`git rev-parse HEAD`; @@ -901,7 +901,7 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest] steps: - name: Check out code @@ -956,7 +956,7 @@ jobs: echo "download golang x tools" go mod download golang.org/x/tools echo "go mod tidy compat mode" - go mod tidy -compat=1.22 + go mod tidy -compat=1.23 echo "go build gocoverage.go" go build gocovmerge.go echo "put together the outs for final coverage resolution" @@ -1027,7 +1027,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest] steps: - name: Check out code @@ -1069,7 +1069,7 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest] steps: - name: Check out code @@ -1109,7 +1109,7 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest] steps: - name: Check out code @@ -1137,7 +1137,7 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest] steps: - name: Check out code @@ -1164,7 +1164,7 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest] steps: - name: Check out code @@ -1192,7 +1192,7 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest] steps: - name: Check out code @@ -1220,7 +1220,7 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest] steps: - name: Check out code diff --git a/.github/workflows/vulncheck.yaml b/.github/workflows/vulncheck.yaml index 5d32bbbaa2..19ca903896 100644 --- a/.github/workflows/vulncheck.yaml +++ b/.github/workflows/vulncheck.yaml @@ -19,7 +19,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v5 with: - go-version: 1.22 + go-version: 1.23.3 check-latest: true - name: Get official govulncheck run: go install golang.org/x/vuln/cmd/govulncheck@latest @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - go-version: [ 1.22 ] + go-version: [ 1.23.x ] os: [ ubuntu-latest ] steps: - name: Check out code diff --git a/README.md b/README.md index 09b2803bb8..ab6f46091f 100644 --- a/README.md +++ b/README.md @@ -25,21 +25,7 @@ A graphical user interface for [MinIO](https://github.com/minio/minio) -## Install - MinIO Console is a library that provides a management and browser UI overlay for the MinIO Server. -The standalone binary installation path has been removed. - -In case a Console standalone binary is needed, it can be generated by building this package from source as follows: - -### Build from source - -> You will need a working Go environment. Therefore, please follow [How to install Go](https://golang.org/doc/install). -> Minimum version required is go1.22 - -``` -go install github.com/minio/console/cmd/console@latest -``` ## Setup diff --git a/api/user_objects.go b/api/user_objects.go index 40fec4c7c2..32eac7064f 100644 --- a/api/user_objects.go +++ b/api/user_objects.go @@ -550,10 +550,13 @@ func getDownloadFolderResponse(session *models.Principal, params objectApi.Downl Modified: modified, }) if err != nil { + object.Close() // Ignore errors, move to next continue } + _, err = io.Copy(f, object) + object.Close() if err != nil { // We have a partial object, report error. pw.CloseWithError(err) @@ -650,14 +653,17 @@ func getMultipleFilesDownloadResponse(session *models.Principal, params objectAp // Ignore errors, move to next continue } - modified, _ := time.Parse(time.RFC3339, obj.LastModified) + modified, _ := time.Parse(time.RFC3339, obj.LastModified) f, err := addToZip(name, modified) if err != nil { + object.Close() // Ignore errors, move to next continue } + _, err = io.Copy(f, object) + object.Close() if err != nil { // We have a partial object, report error. pw.CloseWithError(err) @@ -666,13 +672,14 @@ func getMultipleFilesDownloadResponse(session *models.Principal, params objectAp } } else { - // add selected individual object - objectData, err := mClient.StatObject(ctx, params.BucketName, dObj, minio.StatObjectOptions{}) + object, err := mClient.GetObject(ctx, params.BucketName, dObj, minio.GetObjectOptions{}) if err != nil { // Ignore errors, move to next continue } - object, err := mClient.GetObject(ctx, params.BucketName, dObj, minio.GetObjectOptions{}) + + // add selected individual object + objectData, err := object.Stat() if err != nil { // Ignore errors, move to next continue @@ -683,10 +690,13 @@ func getMultipleFilesDownloadResponse(session *models.Principal, params objectAp objectName := prefixes[len(prefixes)-1] f, err := addToZip(objectName, objectData.LastModified) if err != nil { + object.Close() // Ignore errors, move to next continue } + _, err = io.Copy(f, object) + object.Close() if err != nil { // We have a partial object, report error. pw.CloseWithError(err) diff --git a/go.mod b/go.mod index ab243e5e49..309c5d2945 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/minio/console -go 1.22 +go 1.23 require ( github.com/blang/semver/v4 v4.0.0 @@ -24,6 +24,7 @@ require ( github.com/minio/madmin-go/v3 v3.0.68 github.com/minio/mc v0.0.0-20240815155011-479171e7be9c github.com/minio/minio-go/v7 v7.0.81-0.20241125171916-a563333c01ef + github.com/minio/pkg/v3 v3.0.22 github.com/minio/selfupdate v0.6.0 github.com/minio/websocket v1.6.0 github.com/mitchellh/go-homedir v1.1.0 @@ -35,14 +36,13 @@ require ( golang.org/x/crypto v0.28.0 golang.org/x/net v0.30.0 golang.org/x/oauth2 v0.22.0 + // Added to include security fix for // https://github.com/golang/go/issues/56152 golang.org/x/text v0.19.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect ) -require github.com/minio/pkg/v3 v3.0.22 - require ( aead.dev/mem v0.2.0 // indirect aead.dev/minisign v0.3.0 // indirect diff --git a/web-app/playwright/jobs.yaml b/web-app/playwright/jobs.yaml index ccaf2a1430..81bc3d2b2d 100644 --- a/web-app/playwright/jobs.yaml +++ b/web-app/playwright/jobs.yaml @@ -20,7 +20,7 @@ jobs: runs-on: [ubuntu-latest] strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest] steps: - name: Check out code @@ -44,7 +44,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest] steps: - name: Check out code @@ -84,7 +84,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest] steps: - name: Check out code @@ -129,7 +129,7 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - go-version: [1.22.x] + go-version: [1.23.x] os: [ubuntu-latest] steps: - name: Check out code