Skip to content

Commit

Permalink
Backport of [NET-4897] net/http host header is now verified and reque…
Browse files Browse the repository at this point in the history
…st.host that contains socked now error into release/1.14.x (#18143)

## Backport

This PR is auto-generated from #18129 to be assessed for backporting due
to the inclusion of the label backport/1.14.


:rotating_light:
>**Warning** automatic cherry-pick of commits failed. If the first
commit failed,
you will see a blank no-op commit below. If at least one commit
succeeded, you
will see the cherry-picked commits up to, _not including_, the commit
where
the merge conflict occurred.

The person who merged in the original PR is:
@jmurret
This person should manually cherry-pick the original PR into a new
backport PR,
and close this one when the manual backport PR is merged in.

> merge conflict error: POST
https://api.github.com/repos/hashicorp/consul/merges: 409 Merge conflict
[]



The below text is copied from the body of the original PR.

---

### Description

This is related to #18124 where
we pinned the go versions in CI to 1.20.5 and 1.19.10.

go 1.20.6 and 1.19.11 now validate request host headers for validity,
including the hostname cannot be prefixed with slashes.

For local communications (npipe://, unix://), the hostname is not used,
but we need valid and meaningful hostname. Prior versions go Go would
clean the host header, and strip slashes in the process, but go1.20.6
and go1.19.11 no longer do, and reject the host header. Around the
community we are seeing that others are intercepting the req.host and if
it starts with a slash or ends with .sock, they changing the host to
localhost or another dummy value.

[client: define a "dummy" hostname to use for local connections by
thaJeztah · Pull Request #45942 ·
moby/moby](moby/moby#45942)

### Testing & Reproduction steps

Check CI tests.

### Links
* [ ] updated test coverage
* [ ] external facing docs updated
* [ ] appropriate backport labels added
* [ ] not a security concern


---

<details>
<summary> Overview of commits </summary>

- 747195f -
5164924 -
f4d6ca1 -
a474071 -
8c03b36 -
c50b17c -
cc8eaf8 -
ce10138 -
133c7ec -
b0bd440 -
8f22308 -
f8578b0 -
4452224 -
19634a4

</details>

---------

Co-authored-by: temp <temp@hashicorp.com>
Co-authored-by: John Murret <john.murret@hashicorp.com>
  • Loading branch information
3 people authored Jul 17, 2023
1 parent 14c3bc8 commit 9128a08
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 7 deletions.
10 changes: 3 additions & 7 deletions .github/workflows/go-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -290,7 +290,7 @@ jobs:
runs-on: ${{ needs.setup.outputs.compute-xl }}
repository-name: ${{ github.repository }}
go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consulprem consuldev' || '' }}"
go-version: "1.19.10"
go-version: "1.19"
permissions:
id-token: write # NOTE: this permission is explicitly required for Vault auth.
contents: read
Expand All @@ -309,12 +309,7 @@ jobs:
runs-on: ${{ needs.setup.outputs.compute-xl }}
repository-name: ${{ github.repository }}
go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consulprem consuldev' || '' }}"
# pinning this to 1.20.5 because this issue in go-testcontainers occurs
# in 1.20.6 with the error "http: invalid Host header, host port waiting failed"
# https://github.com/testcontainers/testcontainers-go/issues/1359
# remove setting this when the above issue is fixed so that the reusable
# job will just get the go version from go.mod.
go-version: "1.20.5"
go-version: "1.20"
permissions:
id-token: write # NOTE: this permission is explicitly required for Vault auth.
contents: read
Expand Down Expand Up @@ -352,6 +347,7 @@ jobs:
runs-on: ${{ needs.setup.outputs.compute-xl }}
repository-name: ${{ github.repository }}
go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consulprem consuldev' || '' }}"
go-version: "1.20"
permissions:
id-token: write # NOTE: this permission is explicitly required for Vault auth.
contents: read
Expand Down
11 changes: 11 additions & 0 deletions api/api.go
Original file line number Diff line number Diff line change
Expand Up @@ -962,6 +962,17 @@ func (r *request) toHTTP() (*http.Request, error) {
return nil, err
}

// validate that socket communications that do not use the host, detect
// slashes in the host name and replace it with local host.
// this is required since go started validating req.host in 1.20.6 and 1.19.11.
// prior to that they would strip out the slashes for you. They removed that
// behavior and added more strict validation as part of a CVE.
// https://github.com/golang/go/issues/60374
// the hope is that
if strings.HasPrefix(r.url.Host, "/") {
r.url.Host = "localhost"
}

req.URL.Host = r.url.Host
req.URL.Scheme = r.url.Scheme
req.Host = r.url.Host
Expand Down

0 comments on commit 9128a08

Please sign in to comment.