Macaron: Prevent WriteHeader invalid HTTP status code panic (#42973)

(cherry picked from commit 92005159c89f848ab8b8435e0c8751599e2e8aff) Co-authored-by: Todd Treece <todd.treece@grafana.com>
3 years ago · f9481527de
parent e6c24396da
commit f9481527de
4 changed files with 70 additions and 0 deletions
--- a/pkg/macaron/go.mod
+++ b/pkg/macaron/go.mod
@ -1,3 +1,11 @@
 module gopkg.in/macaron.v1

 go 1.17
+
+require github.com/stretchr/testify v1.7.0
+
+require (
+	github.com/davecgh/go-spew v1.1.0 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
+)
--- a/pkg/macaron/go.sum
+++ b/pkg/macaron/go.sum
@ -0,0 +1,11 @@
+github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/pkg/macaron/response_writer.go
+++ b/pkg/macaron/response_writer.go
@ -56,6 +56,14 @@ type responseWriter struct {

 func (rw *responseWriter) WriteHeader(s int) {
 	rw.callBefore()
+
+	// Avoid panic if status code is not a valid HTTP status code
+	if s < 100 || s > 999 {
+		rw.ResponseWriter.WriteHeader(500)
+		rw.status = 500
+		return
+	}
+
 	rw.ResponseWriter.WriteHeader(s)
 	rw.status = s
 }
--- a/pkg/macaron/response_writer_test.go
+++ b/pkg/macaron/response_writer_test.go
@ -0,0 +1,43 @@
+package macaron_test
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"gopkg.in/macaron.v1"
+)
+
+func Test_responseWriter_WriteHeader(t *testing.T) {
+	t.Run("it should set status code as expected", func(t *testing.T) {
+		f := fakeResponseWriter{}
+		rw := macaron.NewResponseWriter("GET", &f)
+		rw.WriteHeader(200)
+		require.Equal(t, 200, rw.Status())
+		require.Equal(t, 200, f.Status)
+	})
+
+	t.Run("it should set status code to 500 if WriteHeader is called with invalid HTTP status", func(t *testing.T) {
+		f := fakeResponseWriter{}
+		rw := macaron.NewResponseWriter("GET", &f)
+		rw.WriteHeader(0)
+		require.Equal(t, 500, rw.Status())
+		require.Equal(t, 500, f.Status)
+	})
+}
+
+type fakeResponseWriter struct {
+	Status int
+}
+
+func (f *fakeResponseWriter) Header() http.Header {
+	return http.Header{}
+}
+
+func (f *fakeResponseWriter) Write([]byte) (int, error) {
+	return 0, nil
+}
+
+func (f *fakeResponseWriter) WriteHeader(statusCode int) {
+	f.Status = statusCode
+}