Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

retrieveDeviceAuth: Call r.Body.Close() #750

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

Miciah
Copy link

@Miciah Miciah commented Nov 4, 2024

Close the response body after reading it in the DeviceAuth logic.

The retrieveDeviceAuth function did not close the response body. However, the net/http documentation states that one is expected to close the response body after one sends an HTTP request and reads the response body. In addition, the doTokenRoundTrip function does call r.Body.Close(). (Some other functions use a client with a custom Transport that automatically closes the body, but that is not the case for retrieveDeviceAuth or doTokenRoundTrip.)

Follow-up to commit e3fb0fb.


I noticed the missing r.Body.Close() call while reviewing a vendor bump in a project that I help maintain. This project doesn't actually use DeviceAuth; I was just skimming through the newly vendored code when I noticed the questionable logic.

Copy link

google-cla bot commented Nov 4, 2024

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@@ -112,6 +112,7 @@ func retrieveDeviceAuth(ctx context.Context, c *Config, v url.Values) (*DeviceAu
}

body, err := io.ReadAll(io.LimitReader(r.Body, 1<<20))
r.Body.Close()
if err != nil {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it should be defer r.Body.Close() before reading all the content.

defer r.Body.Close()
body, err := io.ReadAll(io.LimitReader(r.Body, 1<<20))

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm, I'm not sure why we need to use defer, unless io.ReadAll(io.LimitReader(r.Body, 1<<20)) can panic? Anyway, I implemented your suggestion in https://github.com/golang/oauth2/compare/ffeca96aa76167a098068334a567bb7c0975acc8..8499b419ad4097ac16cd5b264b8efe53791ae259. Thanks for reviewing!

Close the response body after reading it in the DeviceAuth logic.

The retrieveDeviceAuth function did not close the response body.
However, the net/http documentation states that one is expected to close
the response body after one sends an HTTP request and reads the response
body.  In addition, the doTokenRoundTrip function *does* call
r.Body.Close().  (Some other functions use a client with a custom
Transport that automatically closes the body, but that is not the case
for retrieveDeviceAuth or doTokenRoundTrip.)

Follow-up to commit e3fb0fb.

* deviceauth.go (retrieveDeviceAuth): Call r.Body.Close() after reading
r.Body.
@Miciah Miciah force-pushed the retrieveDeviceAuth-call-r.Body.Close branch from ffeca96 to 8499b41 Compare January 24, 2025 21:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants