From f8bc2e06daa3cb39139c4353a87f57d6ca70d5e7 Mon Sep 17 00:00:00 2001
From: Tonis Tiigi <tonistiigi@gmail.com>
Date: Mon, 1 Jul 2024 16:41:14 -0700
Subject: [PATCH] fix incorrect usage of json.NewDecoder

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
---
 cache/remotecache/s3/s3.go        | 3 +++
 executor/runcexecutor/executor.go | 6 +++++-
 exporter/attestation/unbundle.go  | 4 ++++
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/cache/remotecache/s3/s3.go b/cache/remotecache/s3/s3.go
index 94c51a331cd5..d994c33c533b 100644
--- a/cache/remotecache/s3/s3.go
+++ b/cache/remotecache/s3/s3.go
@@ -408,6 +408,9 @@ func (s3Client *s3Client) getManifest(ctx context.Context, key string, config *v
 	if err := decoder.Decode(config); err != nil {
 		return false, errors.WithStack(err)
 	}
+	if _, err := decoder.Token(); !errors.Is(err, io.EOF) {
+		return false, errors.Errorf("unexpected data after JSON object")
+	}
 
 	return true, nil
 }
diff --git a/executor/runcexecutor/executor.go b/executor/runcexecutor/executor.go
index 93a3c440fe55..281cff3d0c17 100644
--- a/executor/runcexecutor/executor.go
+++ b/executor/runcexecutor/executor.go
@@ -422,9 +422,13 @@ func (w *runcExecutor) Exec(ctx context.Context, id string, process executor.Pro
 	defer f.Close()
 
 	spec := &specs.Spec{}
-	if err := json.NewDecoder(f).Decode(spec); err != nil {
+	dec := json.NewDecoder(f)
+	if err := dec.Decode(spec); err != nil {
 		return err
 	}
+	if _, err := dec.Token(); !errors.Is(err, io.EOF) {
+		return errors.Errorf("unexpected data after JSON spec object")
+	}
 
 	if process.Meta.User != "" {
 		uid, gid, sgids, err := oci.GetUser(state.Rootfs, process.Meta.User)
diff --git a/exporter/attestation/unbundle.go b/exporter/attestation/unbundle.go
index 824dabefbb6f..eccb76d49fa4 100644
--- a/exporter/attestation/unbundle.go
+++ b/exporter/attestation/unbundle.go
@@ -3,6 +3,7 @@ package attestation
 import (
 	"context"
 	"encoding/json"
+	"io"
 	"os"
 	"path"
 	"strings"
@@ -141,6 +142,9 @@ func unbundle(root string, bundle exporter.Attestation) ([]exporter.Attestation,
 		if err := dec.Decode(&stmt); err != nil {
 			return nil, errors.Wrap(err, "cannot decode in-toto statement")
 		}
+		if _, err := dec.Token(); !errors.Is(err, io.EOF) {
+			return nil, errors.New("in-toto statement is not a single JSON object")
+		}
 		if bundle.InToto.PredicateType != "" && stmt.PredicateType != bundle.InToto.PredicateType {
 			return nil, errors.Errorf("bundle entry %s does not match required predicate type %s", stmt.PredicateType, bundle.InToto.PredicateType)
 		}