From 134530ad015ba052b6b30826552983c3a003376e Mon Sep 17 00:00:00 2001 From: Vishnu N C Date: Tue, 28 Apr 2026 17:26:25 +0530 Subject: [PATCH] fix: Address codebase TODOs in http.go and healthcheck.go Problem There were some pending TODO comments in the codebase that represented technical debt: missing input validation for HTTP parsing and a hardcoded clock skew value that needed to be configurable. Solution - Added input validation and sanitization to ParseScheme and ParseMethod in pkg/util/http.go. - Configured the allowed clock skew as AllowedClockSkew in the Options struct and updated healthcheck.go to use this field instead of the hardcoded global constant. Validation Ran the test suite locally for pkg/util and pkg/healthcheck (go test ./pkg/util ./pkg/healthcheck), and ran go vet. All tests pass successfully. Signed-off-by: Vishnu N C --- pkg/healthcheck/healthcheck.go | 13 ++++++++----- pkg/util/http.go | 22 ++++++++++++++++++++-- 2 files changed, 28 insertions(+), 7 deletions(-) diff --git a/pkg/healthcheck/healthcheck.go b/pkg/healthcheck/healthcheck.go index 08de4dc750ac3..3c974314d0baf 100644 --- a/pkg/healthcheck/healthcheck.go +++ b/pkg/healthcheck/healthcheck.go @@ -168,13 +168,11 @@ const ( keyKeyName = "tls.key" ) -// AllowedClockSkew sets the allowed skew in clock synchronization +// DefaultAllowedClockSkew sets the allowed skew in clock synchronization // between the system running inject command and the node(s), being // based on assumed node's heartbeat interval (5 minutes) plus default TLS // clock skew allowance. -// -// TODO: Make this default value overridable, e.g. by CLI flag -const AllowedClockSkew = 5*time.Minute + tls.DefaultClockSkewAllowance +const DefaultAllowedClockSkew = 5*time.Minute + tls.DefaultClockSkewAllowance var linkerdHAControlPlaneComponents = []string{ "linkerd-destination", @@ -393,6 +391,7 @@ func (c *Category) WithHintBaseURL(hintBaseURL string) *Category { // Options specifies configuration for a HealthChecker. type Options struct { IsMainCheckCommand bool + AllowedClockSkew time.Duration ControlPlaneNamespace string CNINamespace string DataPlaneNamespace string @@ -439,6 +438,10 @@ func NewHealthChecker(categoryIDs []CategoryID, options *Options) *HealthChecker Options: options, } + if hc.Options != nil && hc.Options.AllowedClockSkew == 0 { + hc.Options.AllowedClockSkew = DefaultAllowedClockSkew + } + hc.categories = hc.allCategories() checkMap := map[CategoryID]struct{}{} @@ -2670,7 +2673,7 @@ func (hc *HealthChecker) checkClockSkew(ctx context.Context) error { // we want to check only KubeletReady condition and only execute if the node is ready if condition.Type == corev1.NodeReady && condition.Status == corev1.ConditionTrue { since := time.Since(condition.LastHeartbeatTime.Time) - if (since > AllowedClockSkew) || (since < -AllowedClockSkew) { + if (since > hc.AllowedClockSkew) || (since < -hc.AllowedClockSkew) { clockSkewNodes = append(clockSkewNodes, node.Name) } } diff --git a/pkg/util/http.go b/pkg/util/http.go index e603a7a4a5561..1b82113992a9c 100644 --- a/pkg/util/http.go +++ b/pkg/util/http.go @@ -15,8 +15,17 @@ const KB = 1024 const MB = KB * 1024 // ParseScheme converts a scheme string to protobuf -// TODO: validate scheme func ParseScheme(scheme string) *httpPb.Scheme { + // Validate and sanitize input + scheme = strings.TrimSpace(scheme) + if scheme == "" { + return &httpPb.Scheme{ + Type: &httpPb.Scheme_Unregistered{ + Unregistered: "", + }, + } + } + value, ok := httpPb.Scheme_Registered_value[strings.ToUpper(scheme)] if ok { return &httpPb.Scheme{ @@ -33,8 +42,17 @@ func ParseScheme(scheme string) *httpPb.Scheme { } // ParseMethod converts a method string to protobuf -// TODO: validate method func ParseMethod(method string) *httpPb.HttpMethod { + // Validate and sanitize input + method = strings.TrimSpace(method) + if method == "" { + return &httpPb.HttpMethod{ + Type: &httpPb.HttpMethod_Unregistered{ + Unregistered: "", + }, + } + } + value, ok := httpPb.HttpMethod_Registered_value[strings.ToUpper(method)] if ok { return &httpPb.HttpMethod{