Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update grpc-gateway dependency #2311

Merged
merged 2 commits into from
Aug 12, 2022
Merged

Update grpc-gateway dependency #2311

merged 2 commits into from
Aug 12, 2022

Conversation

johanbrandhorst
Copy link
Collaborator

This fixes an issue which would allow an attacker to trigger a
(recovered) panic in the gateway handler.

@johanbrandhorst johanbrandhorst requested a review from jefferai July 30, 2022 03:26
@johanbrandhorst johanbrandhorst changed the title chore(deps): Update grpc-gateway dependency Update grpc-gateway dependency Jul 30, 2022
@johanbrandhorst
Copy link
Collaborator Author

johanbrandhorst commented Jul 31, 2022
edited
Loading

I don't think we need to get this in for 0.10.0. The impact of this bug is that an attacker can basically spam the logs of the controller with panic messages. There is no denial of service, as the panic is recovered by the Go HTTP stack.

@jefferai jefferai added this to the 0.9.2 milestone Aug 1, 2022
@johanbrandhorst johanbrandhorst modified the milestones: 0.9.2, deferred Aug 2, 2022
@johanbrandhorst johanbrandhorst force-pushed the jbrandhorst-bump-grpc-gateway branch from 836e377 to 3809d50 Compare August 6, 2022 08:44
@johanbrandhorst
Copy link
Collaborator Author

This is ready for review again, we can merge once 0.10.0 is out.

@johanbrandhorst johanbrandhorst force-pushed the jbrandhorst-bump-grpc-gateway branch 2 times, most recently from 162c8a8 to c620e15 Compare August 8, 2022 21:38
@johanbrandhorst
chore(deps): Update grpc-gateway dependency
4b685bc 
This fixes an issue which would allow an attacker to trigger a
(recovered) panic in the gateway handler.
@johanbrandhorst
fix(server): Use cmp.Diff instead of assert.Equal
6412aa4 
Testify is not great at handling protobuf types, and
was for some reason returning a diff here when in
reality there is none. Switch to go-cmp for the
comparison to remove the error.
@johanbrandhorst johanbrandhorst force-pushed the jbrandhorst-bump-grpc-gateway branch from c620e15 to 6412aa4 Compare August 10, 2022 22:01
@johanbrandhorst johanbrandhorst removed this from the deferred milestone Aug 11, 2022
@johanbrandhorst johanbrandhorst added this to the 0.10.2 milestone Aug 11, 2022
@johanbrandhorst johanbrandhorst merged commit 222a935 into main Aug 12, 2022
@johanbrandhorst johanbrandhorst deleted the jbrandhorst-bump-grpc-gateway branch August 12, 2022 00:24
@jefferai jefferai modified the milestones: 0.10.2, 0.10.3 Aug 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jefferai jefferai Awaiting requested review from jefferai

Assignees
No one assigned
Labels
core/auth core/db core/gen core/host core/iam core/kms core/oplog core/proxy core/server core/target core
Projects
None yet
Milestone
0.10.4
Development

Successfully merging this pull request may close these issues.
2 participants
@johanbrandhorst @jefferai