Skip to content

fix: add nil safety guards and missing JWT validation#1062

Open
Kewe63 wants to merge 1 commit into
base:mainfrom
Kewe63:fix/geth-apt-lists-and-nil-pointer-guards
Open

fix: add nil safety guards and missing JWT validation#1062
Kewe63 wants to merge 1 commit into
base:mainfrom
Kewe63:fix/geth-apt-lists-and-nil-pointer-guards

Conversation

@Kewe63
Copy link
Copy Markdown

@Kewe63 Kewe63 commented May 11, 2026

Problem

Four distinct issues were identified during code review of the Dockerfiles, entrypoint scripts, and the dependency updater tool:

  1. geth/Dockerfile: The apt-get package list cleanup deletes the /var/lib/apt/lists directory itself instead of its contents, which is inconsistent with the other Dockerfiles and deviates from Docker best practices.

  2. dependency_updater/dependency_updater.go (line 272): selectedTag.Commit.SHA is dereferenced without checking whether selectedTag.Commit is nil. The GitHub API may return a tag without a commit object in edge cases (e.g., lightweight tags, race conditions during tag creation), which would cause a nil pointer dereference panic.

  3. dependency_updater/dependency_updater.go (line 296): branchCommit[0].SHA assumes ListCommits returns at least one commit. If the branch exists but has no commits (empty repository, deleted branch race), this causes an index-out-of-bounds panic.

  4. reth-entrypoint, op-node-entrypoint, base-consensus-entrypoint: BASE_NODE_L2_ENGINE_AUTH_RAW is written to the JWT secret file without validating it is set and non-empty. If misconfigured, the JWT file becomes empty and the Engine API authentication fails silently — the node starts but cannot communicate with the execution layer.

Root Cause

  1. geth/Dockerfile: A typo/oversight — the / suffix was omitted during authoring while the sibling Dockerfiles (reth/Dockerfile, nethermind/Dockerfile) use the correct lists/ pattern.

  2. dependency_updater nil commit: The GitHub client pagination code collects tags across pages but assumes every tag returned by Repositories.ListTags has a non-nil Commit pointer. GitHub's API contract permits nil commits on tags, but no defensive check was implemented.

  3. dependency_updater empty commits: The branch-tracking code path calls Repositories.ListCommits and immediately indexes into the result without checking the slice length. An empty branch produces an empty response, which triggers a runtime panic.

  4. Missing JWT validation: When the entrypoint scripts were authored, the JWT auth validation was added to nethermind-entrypoint but was not replicated to the other three entrypoint scripts that also write the JWT secret.

Fix

  1. geth/Dockerfile (line 32): Changed rm -rf /var/lib/apt/lists to rm -rf /var/lib/apt/lists/ — now matches the pattern used by the other Dockerfiles.

  2. dependency_updater (lines 269–273): Added a nil check for selectedTag.Commit and selectedTag.Commit.SHA before dereferencing. When nil, the tag is logged and skipped — the current version is preserved instead of panicking.

  3. dependency_updater (lines 300–304): Added len(branchCommit) == 0 guard before indexing. When the commits list is empty, the current version is preserved and a warning is logged.

  4. reth-entrypoint, op-node-entrypoint, base-consensus-entrypoint: Added the same validation block that nethermind-entrypoint already uses:

if [[ -z "${BASE_NODE_L2_ENGINE_AUTH_RAW:-}" ]]; then
    echo "Expected BASE_NODE_L2_ENGINE_AUTH_RAW to be set" 1>&2
    exit 1
fi

Testing

  • Go unit tests: All 7 test suites pass (TestParseVersion, TestValidateVersionUpgrade, TestCompareVersions, TestIsReleaseVersion, TestIsRCVersion, TestIsReleaseOrRCVersion, TestRCVersionOrdering) — 76 test cases total.
  • Go build: go build ./... completes without errors.
  • Shell syntax: Entrypoint changes follow the identical validation pattern already in use by nethermind-entrypoint, which has been running in production.

Result

After this PR:

  • The geth Docker image build properly cleans apt lists (consistent with reth and nethermind builds).
  • The dependency updater no longer panics on unexpected GitHub API responses — nil commits and empty commit lists are handled gracefully.
  • All four execution client entrypoints (reth, geth, nethermind, and the consensus node entrypoints) consistently validate the JWT secret before writing it, preventing silent authentication failures.

No breaking changes. Behavior is preserved for all correctly configured deployments.

@Kewe63
fix: add nil safety guards and missing JWT validation
fb3e52e 
- fix(geth): add missing wildcard to apt lists cleanup in Dockerfile
  (rm -rf /var/lib/apt/lists/* instead of /var/lib/apt/lists)
- fix(dependency_updater): guard against nil Commit on tag response
  Prevents panic when GitHub returns a tag without a commit object.
- fix(dependency_updater): guard against empty commits list on branch
  tracking. Prevents index-out-of-bounds panic when ListCommits returns
  an empty response.
- fix(entrypoints): add BASE_NODE_L2_ENGINE_AUTH_RAW validation to
  reth-entrypoint, op-node-entrypoint and base-consensus-entrypoint
  (nethermind-entrypoint already had this check)
@cb-heimdall
Copy link
Copy Markdown
Collaborator

cb-heimdall commented May 11, 2026

🟡 Heimdall Review Status

Requirement Status More Info
Reviews 🟡 0/1
Denominator calculation
Show calculation
1 if user is bot 0
1 if user is external 0
2 if repo is sensitive 0
From .codeflow.yml 1
Additional review requirements
Show calculation
Max 0
0
From CODEOWNERS 0
Global minimum 0
Max 1
1
1 if commit is unverified 1
Sum 2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Kewe63 @cb-heimdall