Skip to content

feat(allowedpaths): guarantee Close on context expiry to prevent fd leaks #157

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
thieman merged 3 commits into from
Mar 26, 2026
Merged

feat(allowedpaths): guarantee Close on context expiry to prevent fd leaks #157

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5ce4e19
feat(allowedpaths): guarantee Close on context expiry to prevent fd l…
thieman Mar 26, 2026
25bf4a1
fix(allowedsymbols): add context.Context and sync.Once to allowedpath…
thieman Mar 26, 2026
c3ec7d0
test(allowedpaths): Linux unit tests for WithContextClose across all …
thieman Mar 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 65 additions & 0 deletions allowedpaths/context_file.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
// Unless explicitly stated otherwise all files in this repository are licensed
// under the Apache License Version 2.0.
// This product includes software developed at Datadog (https://www.datadoghq.com/).
// Copyright 2026-present Datadog, Inc.

package allowedpaths

import (
"context"
"io"
"sync"
)

// contextFile wraps an io.ReadWriteCloser and ensures Close is called when
// the associated context expires. This acts as a safety backstop to prevent
// file descriptor leaks if a caller omits an explicit Close call. Callers
// that already defer Close (the common case) are unaffected — the underlying
// file is closed at most once regardless of how many times Close is invoked.
type contextFile struct {
io.ReadWriteCloser
closeOnce sync.Once
stopOnce sync.Once
stopped chan struct{}
}

// WithContextClose wraps f so that f.Close() is guaranteed to be called when
// ctx is done, in addition to any explicit Close calls made by the caller.
// The underlying file is closed at most once.
//
// A background goroutine waits for either ctx cancellation or an explicit
// Close call. If the context expires first the file is closed immediately and
// the goroutine exits. If Close is called first the goroutine is signalled to
// stop and exits without touching the file again.
func WithContextClose(ctx context.Context, f io.ReadWriteCloser) io.ReadWriteCloser {
cf := &contextFile{
ReadWriteCloser: f,
stopped: make(chan struct{}),
}
go func() {
select {
case <-ctx.Done():
cf.closeOnce.Do(func() {
cf.ReadWriteCloser.Close() //nolint:errcheck
})
case <-cf.stopped:
// explicitly closed; goroutine exits cleanly
}
}()
return cf
}

// Close closes the underlying file and signals the background goroutine to
// exit. Safe to call multiple times; the file is closed at most once.
func (cf *contextFile) Close() error {
// Signal the goroutine to exit before closing, so it cannot race to
// close the file after we return.
cf.stopOnce.Do(func() {
close(cf.stopped)
})
var err error
cf.closeOnce.Do(func() {
err = cf.ReadWriteCloser.Close()
})
return err
}
Loading
Loading