-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🌱 Refactoring: never assign unacceptable TLS versions #2037
Conversation
✅ Deploy Preview for kubernetes-sigs-cluster-api-openstack ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
9875542
to
5bc74ed
Compare
Thanks. Can you please do a couple of things for me before merging?
|
5bc74ed
to
c619d91
Compare
done. PTAL |
/approve Thank you! |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mdbooth The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/hold cancel |
/lgtm |
/hold |
tests still failing. Happy to LGTM once they're fixed. |
This commit makes security linting easier by never setting a TLS version outside v1.2 or v1.3, even in case of an unacceptable user input.
c619d91
to
27526d5
Compare
/hold cancel |
Unit tests pass, and this PR doesn't do anything which should affect the e2e tests. /lgtm |
This commit makes security linting easier by never setting a TLS version outside v1.2 or v1.3, even in case of an unacceptable user input. Upstream PR: kubernetes-sigs#2037 (cherry picked from commit 27526d5)
@pierreprinetti do we want/need it in release-0.10? |
that'd be swell. In the meantime, the bug has been validated by Snyk and reportedly passed on to their engineering. |
/cherry-pick release-0.10 |
@EmilienM: new pull request created: #2062 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
What this PR does / why we need it:
Our downstream security scan is confused by
GetTLSVersion
returning0
as a value (even if coupled by a non-nil error), which could end up being assigned to the same identifier that (in a non-error context) would set the TLS version.This patch makes security linting easier by never setting a TLS version outside v1.2 or v1.3, even in case of an unacceptable user input.
Special notes for your reviewer:
This is expected to be a pure refactoring. Please reject this patch if it introduces any change in behaviour.
TODOs:
/hold
Fixes: #2034