Panic in `vendir sync` #389

Zerpet · 2024-07-09T11:23:12Z

What steps did you take:

Export the env variable VENDIR_GITHUB_API_TOKEN with a valid GitHub token
Run vendir sync with the following manifest

vendir.yml

---
apiVersion: vendir.k14s.io/v1alpha1
kind: Config

directories:
  - path: v-operator-manifests
    contents:
      - path: cluster-operator
        githubRelease:
          slug: rabbitmq/cluster-operator
          tagSelection:
            semver:
              constraints: ">2.0.0"
          assetNames: ["cluster-operator-quay-io.yml"]
          disableAutoChecksumValidation: true
          secretRef:
            name: gh-auth

---
apiVersion: v1
kind: Secret
metadata:
  name: gh-auth
data:
  token: ZmFrZS10b2tlbgo= # fake-token

What happened:

vendir sync panics with a segfault

panic.txt

vendir sync             
Fetching: v-operator-manifests + cluster-operator (github release rabbitmq/cluster-operator@[>2.0.0])
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x0 pc=0x1032dc654]

goroutine 1 [running]:
carvel.dev/vendir/pkg/vendir/fetch/githubrelease.Sync.fetchTagSelection({{{0x140002d8480, 0x19}, {0x0, 0x0}, 0x14000192708, 0x0, {0x0, 0x0}, 0x0, 0x1, ...}, ...})
        carvel.dev/vendir/pkg/vendir/fetch/githubrelease/sync.go:247 +0x154
carvel.dev/vendir/pkg/vendir/fetch/githubrelease.Sync.url({{{0x140002d8480, 0x19}, {0x0, 0x0}, 0x14000192708, 0x0, {0x0, 0x0}, 0x0, 0x1, ...}, ...})
        carvel.dev/vendir/pkg/vendir/fetch/githubrelease/sync.go:85 +0x110
carvel.dev/vendir/pkg/vendir/fetch/githubrelease.Sync.downloadRelease({{{0x140002d8480, 0x19}, {0x0, 0x0}, 0x14000192708, 0x0, {0x0, 0x0}, 0x0, 0x1, ...}, ...}, ...)
        carvel.dev/vendir/pkg/vendir/fetch/githubrelease/sync.go:278 +0x74
carvel.dev/vendir/pkg/vendir/fetch/githubrelease.Sync.Sync({{{0x140002d8480, 0x19}, {0x0, 0x0}, 0x14000192708, 0x0, {0x0, 0x0}, 0x0, 0x1, ...}, ...}, ...)
        carvel.dev/vendir/pkg/vendir/fetch/githubrelease/sync.go:113 +0xfc
carvel.dev/vendir/pkg/vendir/directory.(*Directory).Sync(0x140002f47b0, {{0x1037cb0c8, 0x1400030aea0}, {0x14000038298, 0x28}, {0x0, 0x0}, {0x1037cf528, 0x103cbb8e0}, 0x1, ...})
        carvel.dev/vendir/pkg/vendir/directory/directory.go:176 +0xe50
carvel.dev/vendir/pkg/vendir/cmd.(*SyncOptions).Run(0x140002a7110)
        carvel.dev/vendir/pkg/vendir/cmd/sync.go:144 +0x6e4
carvel.dev/vendir/pkg/vendir/cmd.NewSyncCmd.func1(0x0?, {0x103cbb8e0?, 0x0?, 0x0?})
        carvel.dev/vendir/pkg/vendir/cmd/sync.go:47 +0x20
github.com/cppforlife/cobrautil.DisallowExtraArgs.WrapRunEForCmd.func2.1(0x1400027c608, {0x103cbb8e0, 0x0, 0x0})
        github.com/cppforlife/[email protected]/misc.go:45 +0x6c
carvel.dev/vendir/pkg/vendir/cmd.NewVendirCmd.WrapRunEForCmd.func3.1(0x1400027c608, {0x103cbb8e0, 0x0, 0x0})
        github.com/cppforlife/[email protected]/misc.go:45 +0x6c
carvel.dev/vendir/pkg/vendir/cmd.NewVendirCmd.WrapRunEForCmd.func4.1(0x1400027c608, {0x103cbb8e0, 0x0, 0x0})
        github.com/cppforlife/[email protected]/misc.go:45 +0x6c
github.com/spf13/cobra.(*Command).execute(0x1400027c608, {0x103cbb8e0, 0x0, 0x0})
        github.com/spf13/[email protected]/command.go:983 +0x840
github.com/spf13/cobra.(*Command).ExecuteC(0x1400027c308)
        github.com/spf13/[email protected]/command.go:1115 +0x344
github.com/spf13/cobra.(*Command).Execute(0x140002ac6f0?)
        github.com/spf13/[email protected]/command.go:1039 +0x1c
main.main()
        carvel.dev/vendir/cmd/vendir/vendir.go:31 +0x1c4

What did you expect:

vendir syn to succeed and not panic.

Anything else you would like to add:

A few observations:

The token in the secret seems irrelevant, whether it's fake or a valid token
Removing the Secret from the vendir manifest workarounds the issue i.e. does not panic
The repo rabbitmq/cluster-operator is public, as a repro for this report. The bug was found using a private repo that requires authentication

Environment:

vendir version (execute vendir --version): vendir version 0.40.1
OS (e.g. from /etc/os-release): MacOS 14.5 -- Apple M1 Pro

Vote on this request

This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.

👍 "I would like to see this addressed as soon as possible"
👎 "There are other more important things to focus on right now"

We are also happy to receive and review Pull Requests if you want to help working on this issue.

The text was updated successfully, but these errors were encountered:

renuy · 2024-07-12T06:15:13Z

@Zebradil would you be able to take a look at it?

Zebradil · 2024-07-23T02:38:17Z

The root of the issue is a trailing newline in the fake token value:

$ echo -n ZmFrZS10b2tlbgo= | base64 -d | hexdump -c
0000000   f   a   k   e   -   t   o   k   e   n  \n
000000b

The linked PR solves the issue.

Zerpet added bug This issue describes a defect or unexpected behavior carvel-triage This issue has not yet been reviewed for validity labels Jul 9, 2024

carvel-bot added this to Carvel Jul 9, 2024

renuy moved this to To Triage in Carvel Jul 12, 2024

Zebradil self-assigned this Jul 15, 2024

Zebradil mentioned this issue Jul 23, 2024

fix: avoid panic by checking response for nil #391

Merged

joaopapereira closed this as completed in #391 Jul 24, 2024

github-project-automation bot moved this from To Triage to Closed in Carvel Jul 24, 2024

github-actions bot removed the carvel-triage This issue has not yet been reviewed for validity label Jul 24, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Panic in `vendir sync` #389

Panic in `vendir sync` #389

Zerpet commented Jul 9, 2024

renuy commented Jul 12, 2024

Zebradil commented Jul 23, 2024

Panic in vendir sync #389

Panic in vendir sync #389

Comments

Zerpet commented Jul 9, 2024

renuy commented Jul 12, 2024

Zebradil commented Jul 23, 2024

Panic in `vendir sync` #389

Panic in `vendir sync` #389