Add bounds checks on Windows Python software mutation to avoid panics…

… when we don't have as many version components as we expect Backport of a fix that was part of #24784.
fleetdm · Mar 6, 2025 · 356184d · 356184d
1 parent fdd68bc
commit 356184d
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 0 deletions.
diff --git a/changes/python-bounds-check b/changes/python-bounds-check
@@ -0,0 +1 @@
+* Fixed Python for Windows software version mutation to avoid panics on software ingestion in some cases
diff --git a/server/service/osquery_utils/queries.go b/server/service/osquery_utils/queries.go
@@ -1795,6 +1795,17 @@ var (
 			},
 			mutateSoftware: func(s *fleet.Software, logger log.Logger) {
 				versionComponents := strings.Split(s.Version, ".")
+				// Python 3 versions on Windows should always look like 3.14.102.0; if they don't we
+				// should bail out to avoid bad indexing panics.
+				if len(versionComponents) < 4 {
+					level.Debug(logger).Log("msg", "expected 4 version components", "gotCount", len(versionComponents))
+					return
+				}
+				if len(versionComponents[2]) < 3 {
+					level.Debug(logger).Log("msg", "got a patch version component with unexpected length", "gotPatchVersion", versionComponents[2])
+					return
+				}
+
 				patchVersion := versionComponents[2][0 : len(versionComponents[2])-3]
 				releaseLevel := versionComponents[2][len(versionComponents[2])-3 : len(versionComponents[2])-1]
 				releaseSerial := versionComponents[2][len(versionComponents[2])-1 : len(versionComponents[2])]

diff --git a/server/service/osquery_utils/queries_test.go b/server/service/osquery_utils/queries_test.go
@@ -1977,6 +1977,20 @@ func TestSanitizeSoftware(t *testing.T) {
 				BundleIdentifier: "com.jetbrains.intellij-EAP",
 			},
 		},
+		{
+			name: "Python for Windows shouldn't panic",
+			h:    &fleet.Host{},
+			s: &fleet.Software{
+				Name:    "Python 3.12 (64-bit)",
+				Version: "3.12",
+				Source:  "programs",
+			},
+			sanitized: &fleet.Software{
+				Name:    "Python 3.12 (64-bit)",
+				Version: "3.12",
+				Source:  "programs",
+			},
+		},
 		{
 			name: "Python for Windows GA dot-zero",
 			h:    &fleet.Host{},
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		* Fixed Python for Windows software version mutation to avoid panics on software ingestion in some cases