Fix RPM resource leak (#31794)

Fixes a resource leak introduced by #27069.

- add defer
- move sign code out of `repository.go`

routers/api/packages/rpm/rpm.go

@@ -133,19 +133,20 @@ func UploadPackageFile(ctx *context.Context) {
 	}
 	defer buf.Close()
 
-	// if rpm sign enabled
 	if setting.Packages.DefaultRPMSignEnabled || ctx.FormBool("sign") {
-		pri, _, err := rpm_service.GetOrCreateKeyPair(ctx, ctx.Package.Owner.ID)
+		priv, _, err := rpm_service.GetOrCreateKeyPair(ctx, ctx.Package.Owner.ID)
 		if err != nil {
 			apiError(ctx, http.StatusInternalServerError, err)
 			return
 		}
-		buf, err = rpm_service.SignPackage(buf, pri)
+		signedBuf, err := rpm_service.SignPackage(buf, priv)
 		if err != nil {
-			// Not in rpm format, parsing failed.
 			apiError(ctx, http.StatusBadRequest, err)
 			return
 		}
+		defer signedBuf.Close()
+
+		buf = signedBuf
 	}
 
 	pck, err := rpm_module.ParsePackage(buf)

services/packages/rpm/repository.go

@@ -21,7 +21,6 @@ import (
 	rpm_model "code.gitea.io/gitea/models/packages/rpm"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/json"
-	"code.gitea.io/gitea/modules/log"
 	packages_module "code.gitea.io/gitea/modules/packages"
 	rpm_module "code.gitea.io/gitea/modules/packages/rpm"
 	"code.gitea.io/gitea/modules/util"
@@ -30,7 +29,6 @@ import (
 	"github.com/ProtonMail/go-crypto/openpgp"
 	"github.com/ProtonMail/go-crypto/openpgp/armor"
 	"github.com/ProtonMail/go-crypto/openpgp/packet"
-	"github.com/sassoftware/go-rpmutils"
 )
 
 // GetOrCreateRepositoryVersion gets or creates the internal repository package
@@ -643,33 +641,3 @@ func addDataAsFileToRepo(ctx context.Context, pv *packages_model.PackageVersion,
 		OpenSize:  wc.Written(),
 	}, nil
 }
-
-func SignPackage(rpm *packages_module.HashedBuffer, privateKey string) (*packages_module.HashedBuffer, error) {
-	keyring, err := openpgp.ReadArmoredKeyRing(bytes.NewReader([]byte(privateKey)))
-	if err != nil {
-		// failed to parse key
-		return nil, err
-	}
-	entity := keyring[0]
-	h, err := rpmutils.SignRpmStream(rpm, entity.PrivateKey, nil)
-	if err != nil {
-		// error signing rpm
-		return nil, err
-	}
-	signBlob, err := h.DumpSignatureHeader(false)
-	if err != nil {
-		// error writing sig header
-		return nil, err
-	}
-	if len(signBlob)%8 != 0 {
-		log.Info("incorrect padding: got %d bytes, expected a multiple of 8", len(signBlob))
-		return nil, err
-	}
-
-	// move fp to sign end
-	if _, err := rpm.Seek(int64(h.OriginalSignatureHeaderSize()), io.SeekStart); err != nil {
-		return nil, err
-	}
-	// create signed rpm buf
-	return packages_module.CreateHashedBufferFromReader(io.MultiReader(bytes.NewReader(signBlob), rpm))
-}

services/packages/rpm/sign.go

@@ -0,0 +1,39 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package rpm
+
+import (
+	"bytes"
+	"io"
+	"strings"
+
+	packages_module "code.gitea.io/gitea/modules/packages"
+
+	"github.com/ProtonMail/go-crypto/openpgp"
+	"github.com/sassoftware/go-rpmutils"
+)
+
+func SignPackage(buf *packages_module.HashedBuffer, privateKey string) (*packages_module.HashedBuffer, error) {
+	keyring, err := openpgp.ReadArmoredKeyRing(strings.NewReader(privateKey))
+	if err != nil {
+		return nil, err
+	}
+
+	h, err := rpmutils.SignRpmStream(buf, keyring[0].PrivateKey, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	signBlob, err := h.DumpSignatureHeader(false)
+	if err != nil {
+		return nil, err
+	}
+
+	if _, err := buf.Seek(int64(h.OriginalSignatureHeaderSize()), io.SeekStart); err != nil {
+		return nil, err
+	}
+
+	// create new buf with signature prefix
+	return packages_module.CreateHashedBufferFromReader(io.MultiReader(bytes.NewReader(signBlob), buf))
+}