From cdd5b79141dbc88700f554e89a7af5705bf9eefa Mon Sep 17 00:00:00 2001 From: John Murret Date: Fri, 14 Jul 2023 14:53:27 -0600 Subject: [PATCH] [NET-4897] net/http host header is now verified and request.host that contains socked now error (#18129) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ### Description This is related to https://github.com/hashicorp/consul/pull/18124 where we pinned the go versions in CI to 1.20.5 and 1.19.10. go 1.20.6 and 1.19.11 now validate request host headers for validity, including the hostname cannot be prefixed with slashes. For local communications (npipe://, unix://), the hostname is not used, but we need valid and meaningful hostname. Prior versions go Go would clean the host header, and strip slashes in the process, but go1.20.6 and go1.19.11 no longer do, and reject the host header. Around the community we are seeing that others are intercepting the req.host and if it starts with a slash or ends with .sock, they changing the host to localhost or another dummy value. [client: define a "dummy" hostname to use for local connections by thaJeztah · Pull Request #45942 · moby/moby](https://github.com/moby/moby/pull/45942) ### Testing & Reproduction steps Check CI tests. ### Links * [ ] updated test coverage * [ ] external facing docs updated * [ ] appropriate backport labels added * [ ] not a security concern --- .github/workflows/go-tests.yml | 10 +++------- api/api.go | 11 +++++++++++ 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/.github/workflows/go-tests.yml b/.github/workflows/go-tests.yml index be773c2b0e06..744a398b5aa4 100644 --- a/.github/workflows/go-tests.yml +++ b/.github/workflows/go-tests.yml @@ -376,7 +376,7 @@ jobs: runs-on: ${{ needs.setup.outputs.compute-xl }} repository-name: ${{ github.repository }} go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consulprem consuldev' || '' }}" - go-version: "1.19.10" + go-version: "1.19" permissions: id-token: write # NOTE: this permission is explicitly required for Vault auth. contents: read @@ -395,12 +395,7 @@ jobs: runs-on: ${{ needs.setup.outputs.compute-xl }} repository-name: ${{ github.repository }} go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consulprem consuldev' || '' }}" - # pinning this to 1.20.5 because this issue in go-testcontainers occurs - # in 1.20.6 with the error "http: invalid Host header, host port waiting failed" - # https://github.com/testcontainers/testcontainers-go/issues/1359 - # remove setting this when the above issue is fixed so that the reusable - # job will just get the go version from go.mod. - go-version: "1.20.5" + go-version: "1.20" permissions: id-token: write # NOTE: this permission is explicitly required for Vault auth. contents: read @@ -438,6 +433,7 @@ jobs: runs-on: ${{ needs.setup.outputs.compute-xl }} repository-name: ${{ github.repository }} go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consulprem consuldev' || '' }}" + go-version: "1.20" permissions: id-token: write # NOTE: this permission is explicitly required for Vault auth. contents: read diff --git a/api/api.go b/api/api.go index 772f8693b028..1d4f201621f3 100644 --- a/api/api.go +++ b/api/api.go @@ -984,6 +984,17 @@ func (r *request) toHTTP() (*http.Request, error) { return nil, err } + // validate that socket communications that do not use the host, detect + // slashes in the host name and replace it with local host. + // this is required since go started validating req.host in 1.20.6 and 1.19.11. + // prior to that they would strip out the slashes for you. They removed that + // behavior and added more strict validation as part of a CVE. + // https://github.com/golang/go/issues/60374 + // the hope is that + if strings.HasPrefix(r.url.Host, "/") { + r.url.Host = "localhost" + } + req.URL.Host = r.url.Host req.URL.Scheme = r.url.Scheme req.Host = r.url.Host