http: ensure return after writing response by respondError (#8796) (#8798)

calvn · web-flow · commit 1bcbb6a2a314 · 2020-04-21T15:41:59.000-07:00
diff --git a/command/agent/cache/handler.go b/command/agent/cache/handler.go
@@ -40,6 +40,7 @@ func Handler(ctx context.Context, logger hclog.Logger, proxier Proxier, inmemSin
 		if err != nil {
 			logger.Error("failed to read request body")
 			logical.RespondError(w, http.StatusInternalServerError, errors.New("failed to read request body"))
+			return
 		}
 		if r.Body != nil {
 			r.Body.Close()
diff --git a/http/logical.go b/http/logical.go
@@ -232,6 +232,7 @@ func handleLogicalRecovery(raw *vault.RawBackend, token *atomic.String) http.Han
 		reqToken := r.Header.Get(consts.AuthHeaderName)
 		if reqToken == "" || token.Load() == "" || reqToken != token.Load() {
 			respondError(w, http.StatusForbidden, nil)
+			return
 		}
 
 		resp, err := raw.HandleRequest(r.Context(), req)
@@ -379,6 +380,7 @@ func handleLogicalInternal(core *vault.Core, injectDataIntoTopLevel bool, noForw
 		case strings.HasPrefix(req.Path, "sys/metrics"):
 			if isStandby, _ := core.Standby(); isStandby {
 				respondError(w, http.StatusBadRequest, vault.ErrCannotForwardLocalOnly)
+				return
 			}
 		}
 
diff --git a/http/sys_metrics.go b/http/sys_metrics.go
@@ -17,6 +17,7 @@ func handleMetricsUnauthenticated(core *vault.Core) http.Handler {
 		case "GET":
 		default:
 			respondError(w, http.StatusMethodNotAllowed, nil)
+			return
 		}
 
 		// Parse form
diff --git a/http/sys_raft.go b/http/sys_raft.go
@@ -33,6 +33,7 @@ func handleSysRaftJoinPost(core *vault.Core, w http.ResponseWriter, r *http.Requ
 
 	if req.NonVoter && !nonVotersAllowed {
 		respondError(w, http.StatusBadRequest, errors.New("non-voting nodes not allowed"))
+		return
 	}
 
 	var tlsConfig *tls.Config

Original file line number	Diff line number	Diff line change
`@@ -40,6 +40,7 @@ func Handler(ctx context.Context, logger hclog.Logger, proxier Proxier, inmemSin`
`40`	`40`	`if err != nil {`
`41`	`41`	`logger.Error("failed to read request body")`
`42`	`42`	`logical.RespondError(w, http.StatusInternalServerError, errors.New("failed to read request body"))`
	`43`	`+ return`
`43`	`44`	`}`
`44`	`45`	`if r.Body != nil {`
`45`	`46`	`r.Body.Close()`
Original file line number	Diff line number	Diff line change
`@@ -232,6 +232,7 @@ func handleLogicalRecovery(raw vault.RawBackend, token atomic.String) http.Han`
`232`	`232`	`reqToken := r.Header.Get(consts.AuthHeaderName)`
`233`	`233`	`if reqToken == "" \|\| token.Load() == "" \|\| reqToken != token.Load() {`
`234`	`234`	`respondError(w, http.StatusForbidden, nil)`
	`235`	`+ return`
`235`	`236`	`}`
`236`	`237`
`237`	`238`	`resp, err := raw.HandleRequest(r.Context(), req)`
`@@ -379,6 +380,7 @@ func handleLogicalInternal(core *vault.Core, injectDataIntoTopLevel bool, noForw`
`379`	`380`	`case strings.HasPrefix(req.Path, "sys/metrics"):`
`380`	`381`	`if isStandby, _ := core.Standby(); isStandby {`
`381`	`382`	`respondError(w, http.StatusBadRequest, vault.ErrCannotForwardLocalOnly)`
	`383`	`+ return`
`382`	`384`	`}`
`383`	`385`	`}`
`384`	`386`
Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@ func handleMetricsUnauthenticated(core *vault.Core) http.Handler {`
`17`	`17`	`case "GET":`
`18`	`18`	`default:`
`19`	`19`	`respondError(w, http.StatusMethodNotAllowed, nil)`
	`20`	`+ return`
`20`	`21`	`}`
`21`	`22`
`22`	`23`	`// Parse form`
Original file line number	Diff line number	Diff line change
`@@ -33,6 +33,7 @@ func handleSysRaftJoinPost(core vault.Core, w http.ResponseWriter, r http.Requ`
`33`	`33`
`34`	`34`	`if req.NonVoter && !nonVotersAllowed {`
`35`	`35`	`respondError(w, http.StatusBadRequest, errors.New("non-voting nodes not allowed"))`
	`36`	`+ return`
`36`	`37`	`}`
`37`	`38`
`38`	`39`	`var tlsConfig *tls.Config`