mirror
/
logrus
mirror of https://github.com/sirupsen/logrus.git
1
0
Fork 1
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1376 from ozfive/master 

This commit fixes a potential denial of service vulnerability in logrus.Writer() that could be triggered by logging text longer than 64kb without newlines.
This commit is contained in:
Simon Eskildsen 2023-05-15 06:31:06 -04:00 committed by GitHub
parent e59b167d75 105e63f86c
commit 6acd903758
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 34 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
writer.go
View File

@ -4,6 +4,7 @@ import (
"bufio" "bufio"
"io" "io"
"runtime" "runtime"
"strings"
) )
// Writer at INFO level. See WriterLevel for details. // Writer at INFO level. See WriterLevel for details.
@ -20,15 +21,18 @@ func (logger *Logger) WriterLevel(level Level) *io.PipeWriter {
return NewEntry(logger).WriterLevel(level) return NewEntry(logger).WriterLevel(level)
} }
// Writer returns an io.Writer that writes to the logger at the info log level
func (entry *Entry) Writer() *io.PipeWriter { func (entry *Entry) Writer() *io.PipeWriter {
return entry.WriterLevel(InfoLevel) return entry.WriterLevel(InfoLevel)
} }
// WriterLevel returns an io.Writer that writes to the logger at the given log level
func (entry *Entry) WriterLevel(level Level) *io.PipeWriter { func (entry *Entry) WriterLevel(level Level) *io.PipeWriter {
reader, writer := io.Pipe() reader, writer := io.Pipe()
var printFunc func(args ...interface{}) var printFunc func(args ...interface{})
// Determine which log function to use based on the specified log level
switch level { switch level {
case TraceLevel: case TraceLevel:
printFunc = entry.Trace printFunc = entry.Trace
@ -48,23 +52,51 @@ func (entry *Entry) WriterLevel(level Level) *io.PipeWriter {
printFunc = entry.Print printFunc = entry.Print
} }
// Start a new goroutine to scan the input and write it to the logger using the specified print function.
// It splits the input into chunks of up to 64KB to avoid buffer overflows.
go entry.writerScanner(reader, printFunc) go entry.writerScanner(reader, printFunc)
// Set a finalizer function to close the writer when it is garbage collected
runtime.SetFinalizer(writer, writerFinalizer) runtime.SetFinalizer(writer, writerFinalizer)
return writer return writer
} }
// writerScanner scans the input from the reader and writes it to the logger
func (entry *Entry) writerScanner(reader *io.PipeReader, printFunc func(args ...interface{})) { func (entry *Entry) writerScanner(reader *io.PipeReader, printFunc func(args ...interface{})) {
scanner := bufio.NewScanner(reader) scanner := bufio.NewScanner(reader)
for scanner.Scan() {
printFunc(scanner.Text()) // Set the buffer size to the maximum token size to avoid buffer overflows
scanner.Buffer(make([]byte, bufio.MaxScanTokenSize), bufio.MaxScanTokenSize)
// Define a split function to split the input into chunks of up to 64KB
chunkSize := 64 * 1024 // 64KB
splitFunc := func(data []byte, atEOF bool) (int, []byte, error) {
if len(data) > chunkSize {
return chunkSize, data[:chunkSize], nil
} }
return len(data), data, nil
}
//Use the custom split function to split the input
scanner.Split(splitFunc)
// Scan the input and write it to the logger using the specified print function
for scanner.Scan() {
printFunc(strings.TrimRight(scanner.Text(), "\r\n"))
}
// If there was an error while scanning the input, log an error
if err := scanner.Err(); err != nil { if err := scanner.Err(); err != nil {
entry.Errorf("Error while reading from Writer: %s", err) entry.Errorf("Error while reading from Writer: %s", err)
} }
// Close the reader when we are done
reader.Close() reader.Close()
} }
// WriterFinalizer is a finalizer function that closes then given writer when it is garbage collected
func writerFinalizer(writer *io.PipeWriter) { func writerFinalizer(writer *io.PipeWriter) {
writer.Close() writer.Close()
} }