Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v1.1.0 panics when Hostname is used rather than Host in the oauth flow. #69

Closed
williammartin opened this issue Oct 9, 2024 · 0 comments · Fixed by #70
Closed

v1.1.0 panics when Hostname is used rather than Host in the oauth flow. #69

williammartin opened this issue Oct 9, 2024 · 0 comments · Fixed by #70
Assignees
@williammartin

Comments

@williammartin
Copy link
Member

Description

#63 introduced a new safe parsing function NewGitHubHost which ensures that the URL parsing is valid. Consumers of this library can use it in order to pass in Host in the OauthFlow configuration struct:

oauth/oauth.go

Line 68 in afffc8e

Host *Host

However, it was possible to provide the deprecated Hostname string and both the device code and oauth flows would do the parsing internally. .

In #63, this parsing was changed to use the new function (which is great) but in doing so, some unintentional variable shadowing happened. Previously, the result of GitHubHost was assigned to the host variable which was used later on. Now the result of NewGitHubHost is assigned to host, err via short variable declaration (:=). This results in a new host variable being declared in the inner scope. Although we set oa.Host = host, the rest of the functions still use host, which results in a nil pointer deference.

Reproduction

Use these tests:

package oauth_test

import (
	"testing"

	"github.com/cli/oauth"
)

func TestDeviceFlowHostname(_ *testing.T) {
	flow := &oauth.Flow{
		Hostname: "github.com",
	}

	_, err := flow.DeviceFlow()
	if err != nil {
		panic(err)
	}
}

func TestWebFlowHostname(_ *testing.T) {
	flow := &oauth.Flow{
		Hostname: "github.com",
	}

	_, err := flow.WebAppFlow()
	if err != nil {
		panic(err)
	}
}

They will panic on:

github.com/cli/oauth.(*Flow).DeviceFlow(0x1400007aeb0)
	/Users/williammartin/workspace/oauth/oauth_device.go:42 +0x188

oauth/oauth_device.go

Line 42 in afffc8e

code, err := device.RequestCode(httpClient, host.DeviceCodeURL, oa.ClientID, oa.Scopes) 

github.com/cli/oauth.(*Flow).WebAppFlow(0x140001462c0)
	/Users/williammartin/workspace/oauth/oauth_webapp.go:37 +0x16c

oauth/oauth_webapp.go

Lines 36 to 37 in afffc8e

}
browserURL, err := flow.BrowserURL(host.AuthorizeURL, params)

Note that these tests aren't otherwise intended to pass (e.g. Device flow will panic for other reasons on an earlier commit), just to demonstrate the issue.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@williammartin williammartin

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix panic when Hostname is used cli/oauth
1 participant
@williammartin