Skip to content

fix(inspect): always close CRL response body in checkCRLValidCert#466

Closed
alliasgher wants to merge 1 commit into
cert-manager:mainfrom
alliasgher:fix-crl-body-close
Closed

fix(inspect): always close CRL response body in checkCRLValidCert#466
alliasgher wants to merge 1 commit into
cert-manager:mainfrom
alliasgher:fix-crl-body-close

Conversation

@alliasgher

Copy link
Copy Markdown

Summary

checkCRLValidCert in pkg/inspect/secret/util.go calls http.DefaultClient.Do and then reads the body with io.ReadAll. The explicit resp.Body.Close() only runs after the ReadAll succeeds; if io.ReadAll returns an error the function returns early and the body is never closed, leaking the underlying TCP connection.

This PR replaces the explicit close with a defer resp.Body.Close() immediately after the successful Do() call, so both the success and the read-error path close the body. Behaviour on the happy path is unchanged.

Fixes #442

checkCRLValidCert calls http.DefaultClient.Do and then reads the body
with io.ReadAll. The explicit resp.Body.Close() only runs after the
ReadAll succeeds; if io.ReadAll returns an error the function returns
early and the body is never closed, leaking the underlying TCP
connection.

Replace the explicit close with a defer immediately after the
successful Do(), so both the success and the read-error path close the
body.

Fixes cert-manager#442

Signed-off-by: alliasgher <alliasgher123@gmail.com>
@cert-manager-prow cert-manager-prow Bot added the dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. label Apr 25, 2026
@cert-manager-prow

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign jakexks for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow cert-manager-prow Bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Apr 25, 2026
@cert-manager-prow

Copy link
Copy Markdown
Contributor

Hi @alliasgher. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@cert-manager-prow cert-manager-prow Bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Apr 25, 2026
@erikgb

erikgb commented Apr 30, 2026

Copy link
Copy Markdown
Member

/ok-to-test

@erikgb erikgb requested a review from Copilot April 30, 2026 18:47
@cert-manager-prow cert-manager-prow Bot added ok-to-test and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Apr 30, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes a resource leak in the CRL validation path by ensuring HTTP response bodies are always closed, even when reading the body fails (addresses #442).

Changes:

  • Add defer resp.Body.Close() immediately after a successful http.DefaultClient.Do(req) in checkCRLValidCert.
  • Remove the explicit resp.Body.Close() that only executed on the happy path.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +109 to 113
defer resp.Body.Close()

body, err := io.ReadAll(resp.Body)
if err != nil {
return false, fmt.Errorf("error reading HTTP body: %w", err)

Copilot AI Apr 30, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider adding a unit test to lock in the intended behavior that the HTTP response body is closed on the error path (e.g., when the response body reader returns an error during read). Since this function uses http.DefaultClient, you can temporarily swap the client's Transport in the test to return a Response with a custom ReadCloser that tracks whether Close() was called, then assert it was closed even when the read fails.

Copilot uses AI. Check for mistakes.
@erikgb

erikgb commented Apr 30, 2026

Copy link
Copy Markdown
Member

Thanks @alliasgher. I'll merge #463 instead, which is an older PR.

/close

@cert-manager-prow

Copy link
Copy Markdown
Contributor

@erikgb: Closed this PR.

Details

In response to this:

Thanks @alliasgher. I'll merge #463 instead, which is an older PR.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. ok-to-test size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

inspect secret: response body not closed on error path during CRL check

3 participants