multi: use safe copy for macaroons

Fixes #4383 by adding a new SafeCopyMacaroon function that correctly clones all caveats and prevents modifications on the copy from affecting the original.
2025-09-12 22:59:38 +02:00 · 2021-08-12 16:07:18 +02:00
parent 538175f487
commit 045765111a
7 changed files with 105 additions and 7 deletions
--- a/macaroons/constraints.go
+++ b/macaroons/constraints.go
@@ -50,7 +50,14 @@ type Checker func() (string, checkers.Func)
 func AddConstraints(mac *macaroon.Macaroon,
 	cs ...Constraint) (*macaroon.Macaroon, error) {

-	newMac := mac.Clone()
+	// The macaroon library's Clone() method has a subtle bug that doesn't
+	// correctly clone all caveats. We need to use our own, safe clone
+	// function instead.
+	newMac, err := SafeCopyMacaroon(mac)
+	if err != nil {
+		return nil, err
+	}
+
 	for _, constraint := range cs {
 		if err := constraint(newMac); err != nil {
 			return nil, err