Fix panic in GenerateDeterministicNameFromSpec with long resolver names

vdemeester · vdemeester · commit 5e4905fb6754 · 2026-03-16T13:22:21.000+01:00
GenerateDeterministicNameFromSpec panics when the generated name exceeds 63 characters (DNS-1123 label max length) because strings.LastIndex is used to find a space character as a truncation boundary. The generated name format is '{prefix}-{hex_hash}' which never contains spaces, so LastIndex returns -1, causing a slice bounds panic. An attacker who can create TaskRuns or PipelineRuns can set the resolver name to a string >= 30 characters to trigger this panic, crashing the controller into a CrashLoopBackOff. Fix: compute the hash first, then truncate only the prefix to make room, preserving the full hash to maintain determinism and uniqueness of generated ResolutionRequest names. Fixes: GHSA-cv4x-93xx-wgfj
diff --git a/pkg/resolution/resource/name.go b/pkg/resolution/resource/name.go
@@ -21,7 +21,6 @@ import (
 	"hash"
 	"hash/fnv"
 	"sort"
-	"strings"
 
 	v1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1"
 	"github.com/tektoncd/pipeline/pkg/apis/resolution/v1beta1"
@@ -77,6 +76,19 @@ func nameHasher() hash.Hash {
 	return fnv.New128a()
 }
 
+// sanitizedName builds a "{prefix}-{hash}" string that fits within the
+// DNS-1123 label max length. If the prefix is too long, it is truncated
+// so that the full hash is always preserved, maintaining determinism and
+// uniqueness.
+func sanitizedName(prefix string, hasher hash.Hash) string {
+	hex := fmt.Sprintf("%x", hasher.Sum(nil))
+	maxPrefixLen := maxLength - len(hex) - 1 // 1 for the "-" separator
+	if len(prefix) > maxPrefixLen {
+		prefix = prefix[:maxPrefixLen]
+	}
+	return fmt.Sprintf("%s-%s", prefix, hex)
+}
+
 // GenerateDeterministicNameFromSpec makes a best-effort attempt to create a
 // unique but reproducible name for use in a Request. The returned value
 // will have the format {prefix}-{hash} where {prefix} is
@@ -89,7 +101,7 @@ func GenerateDeterministicNameFromSpec(prefix, base string, resolutionSpec *v1be
 	}
 
 	if resolutionSpec == nil {
-		return fmt.Sprintf("%s-%x", prefix, hasher.Sum(nil)), nil
+		return sanitizedName(prefix, hasher), nil
 	}
 	params := resolutionSpec.Params
 	sortedParams := make(v1.Params, len(params))
@@ -123,11 +135,7 @@ func GenerateDeterministicNameFromSpec(prefix, base string, resolutionSpec *v1be
 			return "", err
 		}
 	}
-	name := fmt.Sprintf("%s-%x", prefix, hasher.Sum(nil))
-	if maxLength > len(name) {
-		return name, nil
-	}
-	return name[:strings.LastIndex(name[:maxLength], " ")], nil
+	return sanitizedName(prefix, hasher), nil
 }
 
 // GenerateErrorLogString makes a best effort attempt to get the name of the task
diff --git a/pkg/resolution/resource/name_test.go b/pkg/resolution/resource/name_test.go
@@ -101,6 +101,14 @@ func TestGenerateDeterministicName(t *testing.T) {
 			args: golden,
 			want: "prefix-ba2f256f318de7f4154da577c283cb9e",
 		},
+		{
+			name: "long prefix with nil params truncates prefix preserving hash",
+			args: args{
+				prefix: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", // 31 chars
+				base:   "default/my-taskrun",
+			},
+			want: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-2d162955e9c9fcfef736fd389e7fd796",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -201,6 +209,62 @@ func TestGenerateDeterministicNameFromSpec(t *testing.T) {
 			args: golden,
 			want: "prefix-ff25bd24688ab610bdc530a5ab3aabbd",
 		},
+		{
+			name: "long prefix at exactly max length is not truncated",
+			args: args{
+				prefix: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", // 30 chars, name = 30+1+32 = 63 = maxLength
+				base:   "default/my-taskrun",
+				params: []v1.Param{{
+					Name:  "foo",
+					Value: v1.ParamValue{Type: v1.ParamTypeString, StringVal: "bar"},
+				}},
+			},
+			want: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-da9d0a4501a276745547b4b4b21a2e77", // exactly 63, fits
+		},
+		{
+			name: "long prefix exceeding max length truncates prefix not hash",
+			args: args{
+				prefix: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", // 31 chars, would be 64 > maxLength
+				base:   "default/my-taskrun",
+				params: []v1.Param{{
+					Name:  "foo",
+					Value: v1.ParamValue{Type: v1.ParamTypeString, StringVal: "bar"},
+				}},
+			},
+			want: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-da9d0a4501a276745547b4b4b21a2e77", // prefix trimmed to 30, hash preserved
+		},
+		{
+			name: "very long prefix truncates prefix preserving hash",
+			args: args{
+				prefix: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", // 50 chars
+				base:   "default/my-taskrun",
+			},
+			want: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-2d162955e9c9fcfef736fd389e7fd796", // prefix trimmed to 30, hash preserved
+		},
+		{
+			name: "different inputs with same long prefix produce different names",
+			args: args{
+				prefix: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", // 31 chars
+				base:   "default/other-taskrun",
+				params: []v1.Param{{
+					Name:  "baz",
+					Value: v1.ParamValue{Type: v1.ParamTypeString, StringVal: "qux"},
+				}},
+			},
+			want: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa-5592e5f983640b4274071dbe1c09068d", // same prefix length, different hash
+		},
+		{
+			name: "prefix under max length returns full name",
+			args: args{
+				prefix: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaa", // 29 chars, name = 62 chars
+				base:   "default/my-taskrun",
+				params: []v1.Param{{
+					Name:  "foo",
+					Value: v1.ParamValue{Type: v1.ParamTypeString, StringVal: "bar"},
+				}},
+			},
+			want: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaa-da9d0a4501a276745547b4b4b21a2e77", // 62 chars, no truncation
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
