Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[NET-4897] net/http host header is now verified and request.host that contains socked now error #18129

Merged
merged 14 commits into from
Jul 14, 2023
Merged
Show file tree
Hide file tree
Changes from 12 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 2 additions & 7 deletions .github/workflows/go-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -376,7 +376,7 @@ jobs:
runs-on: ${{ needs.setup.outputs.compute-xl }}
repository-name: ${{ github.repository }}
go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consulprem consuldev' || '' }}"
go-version: "1.19.10"
go-version: "1.19"
jmurret marked this conversation as resolved.
Show resolved Hide resolved
permissions:
id-token: write # NOTE: this permission is explicitly required for Vault auth.
contents: read
Expand All @@ -395,12 +395,7 @@ jobs:
runs-on: ${{ needs.setup.outputs.compute-xl }}
repository-name: ${{ github.repository }}
go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consulprem consuldev' || '' }}"
# pinning this to 1.20.5 because this issue in go-testcontainers occurs
# in 1.20.6 with the error "http: invalid Host header, host port waiting failed"
# https://github.com/testcontainers/testcontainers-go/issues/1359
# remove setting this when the above issue is fixed so that the reusable
# job will just get the go version from go.mod.
go-version: "1.20.5"
go-version: "1.20"
permissions:
id-token: write # NOTE: this permission is explicitly required for Vault auth.
contents: read
Expand Down
4 changes: 4 additions & 0 deletions api/api.go
Original file line number Diff line number Diff line change
Expand Up @@ -1000,6 +1000,10 @@ func (r *request) toHTTP() (*http.Request, error) {
return nil, err
}

if strings.HasPrefix(r.url.Host, "/") {
jmurret marked this conversation as resolved.
Show resolved Hide resolved
r.url.Host = "localhost"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So . or - may be accepted (see moby/moby#45942 (review)), but yeah, empty would've been most transparent.

}

req.URL.Host = r.url.Host
req.URL.Scheme = r.url.Scheme
req.Host = r.url.Host
Expand Down
23 changes: 23 additions & 0 deletions api/api_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -991,6 +991,29 @@ func TestAPI_RequestToHTTP(t *testing.T) {
}
}

func TestAPI_RequestToHTTP_PrefixedWithSlashes(t *testing.T) {
t.Parallel()
c, s := makeClient(t)
defer s.Stop()

c.config.Address = "/tmp/mysocket.sock"
r := c.newRequest("DELETE", "/v1/kv/foo")
q := &QueryOptions{
Datacenter: "foo",
}
r.setQueryOptions(q)
req, err := r.toHTTP()
require.NoError(t, err)
// validate that socket communications that do not use the host, detect
// slashes in the host name and replace it with local host.
// this is required since go started validating req.host in 1.20.6.
// prior to that they would strip out the slahes for you. They removed that
// behavior and added more strict validation as part of a CVE.
// https://github.com/golang/go/issues/11206
require.Equal(t, "localhost", req.Host)
jmurret marked this conversation as resolved.
Show resolved Hide resolved

}

func TestAPI_ParseQueryMeta(t *testing.T) {
t.Parallel()
resp := &http.Response{
Expand Down