From bad54b6f3fe38aea89955091d2f38fbb86a5ec45 Mon Sep 17 00:00:00 2001 From: Knative Automation Date: Fri, 20 Mar 2026 02:21:22 +0000 Subject: [PATCH] upgrade to latest dependencies bumping google.golang.org/grpc 8902ab6...dda86db: > dda86db Change version to 1.79.3 (# 8983) > 72186f1 grpc: enforce strict path checking for incoming requests on the server (# 8981) > 97ca352 Changing version to 1.79.3-dev (# 8954) bumping knative.dev/pkg 5d1c12d...8c68e18: > 8c68e18 Bump google.golang.org/grpc from 1.79.2 to 1.79.3 (# 3339) > 98d5a70 Update community files (# 3336) > 91e1768 Fix linter deprecation warnings (# 3335) bumping knative.dev/hack c448fdb...7eede7f: > 7eede7f Update community files (# 463) bumping knative.dev/networking 0055e92...91b576b: > 91b576b upgrade to latest dependencies (# 1124) > a339c35 upgrade to latest dependencies (# 1123) bumping knative.dev/serving 10d950c...5237de8: > 5237de8 Update net-contour nightly (# 16479) > 61dc2c5 Update net-kourier nightly (# 16480) > bea1edc Update net-gateway-api nightly (# 16477) > 2a046e0 Update net-istio nightly (# 16478) > dfcad6c Update community files (# 16476) > 80e9e60 upgrade to latest dependencies (# 16474) > 8c073ea Update net-contour nightly (# 16471) > 4fd63f7 Update net-gateway-api nightly (# 16470) > 5407b0c Update net-kourier nightly (# 16473) > fe4c325 Update net-istio nightly (# 16472) > 7831c9f upgrade to latest dependencies (# 16469) Signed-off-by: Knative Automation --- go.mod | 10 ++-- go.sum | 20 +++---- .../grpc/internal/envconfig/envconfig.go | 16 ++++++ vendor/google.golang.org/grpc/server.go | 57 +++++++++++++------ vendor/google.golang.org/grpc/version.go | 2 +- vendor/modules.txt | 10 ++-- 6 files changed, 78 insertions(+), 37 deletions(-) diff --git a/go.mod b/go.mod index 58f611e5..919dc55c 100644 --- a/go.mod +++ b/go.mod @@ -13,9 +13,9 @@ require ( k8s.io/apimachinery v0.35.2 k8s.io/client-go v0.35.2 k8s.io/code-generator v0.35.2 - knative.dev/hack v0.0.0-20260310014051-c448fdb867e2 - knative.dev/pkg v0.0.0-20260316154451-5d1c12d99335 - knative.dev/serving v0.48.1-0.20260316224151-10d950c3a0d7 + knative.dev/hack v0.0.0-20260318014029-7eede7fdcbad + knative.dev/pkg v0.0.0-20260319144801-8c68e18a5cc7 + knative.dev/serving v0.48.1-0.20260318220159-5237de8fe037 ) require ( @@ -88,7 +88,7 @@ require ( gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20260209200024-4cfbd4190f57 // indirect - google.golang.org/grpc v1.79.2 // indirect + google.golang.org/grpc v1.79.3 // indirect google.golang.org/protobuf v1.36.11 // indirect gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect @@ -97,7 +97,7 @@ require ( k8s.io/klog/v2 v2.130.1 // indirect k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect - knative.dev/networking v0.0.0-20260313010219-0055e9277729 // indirect + knative.dev/networking v0.0.0-20260317015751-91b576b3d619 // indirect sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect sigs.k8s.io/randfill v1.0.0 // indirect sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect diff --git a/go.sum b/go.sum index d8ed5136..38eef8c8 100644 --- a/go.sum +++ b/go.sum @@ -232,8 +232,8 @@ google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57 h1: google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57/go.mod h1:kSJwQxqmFXeo79zOmbrALdflXQeAYcUbgS7PbpMknCY= google.golang.org/genproto/googleapis/rpc v0.0.0-20260209200024-4cfbd4190f57 h1:mWPCjDEyshlQYzBpMNHaEof6UX1PmHcaUODUywQ0uac= google.golang.org/genproto/googleapis/rpc v0.0.0-20260209200024-4cfbd4190f57/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ= -google.golang.org/grpc v1.79.2 h1:fRMD94s2tITpyJGtBBn7MkMseNpOZU8ZxgC3MMBaXRU= -google.golang.org/grpc v1.79.2/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ= +google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE= +google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ= google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE= google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -261,14 +261,14 @@ k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZ k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ= k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck= k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -knative.dev/hack v0.0.0-20260310014051-c448fdb867e2 h1:b35SGLEp03D8oGf8mE9HBt3yfNgYpAK0fw46hFXs9w4= -knative.dev/hack v0.0.0-20260310014051-c448fdb867e2/go.mod h1:L5RzHgbvam0u8QFHfzCX6MKxu/a/gIGEdaRBqNiVbl0= -knative.dev/networking v0.0.0-20260313010219-0055e9277729 h1:sF6e1RnluIKCiZBPrz7BxIWkAkLU8hiSSK+1NusRmGM= -knative.dev/networking v0.0.0-20260313010219-0055e9277729/go.mod h1:72PhQ+qnOAwz9FFK8y301eWuiQ6vD9qVUFnDBjNhju8= -knative.dev/pkg v0.0.0-20260316154451-5d1c12d99335 h1:OpR5LNa0m34T8KOzGLwObjmMkxuuenSFU51oiNcfKRw= -knative.dev/pkg v0.0.0-20260316154451-5d1c12d99335/go.mod h1:o/XS1E/hYh9IR8deEEiJG4kKtQfqnf9Gwt5bwp2x4AU= -knative.dev/serving v0.48.1-0.20260316224151-10d950c3a0d7 h1:azehTw7pMvOK+Ijq7AwKRX5/0flM6O0khNTpFyUgLoY= -knative.dev/serving v0.48.1-0.20260316224151-10d950c3a0d7/go.mod h1:BJPmLXiP75SFAMo+xzU8SHcxmTbqYEbZk5xlgopye5g= +knative.dev/hack v0.0.0-20260318014029-7eede7fdcbad h1:yH957Dv5HrPgllwTs7e1wvCKcjg/PC0QPQGEWkK7QFw= +knative.dev/hack v0.0.0-20260318014029-7eede7fdcbad/go.mod h1:L5RzHgbvam0u8QFHfzCX6MKxu/a/gIGEdaRBqNiVbl0= +knative.dev/networking v0.0.0-20260317015751-91b576b3d619 h1:Ff71TIn4yIVTWLrDF/SyN0KEJ1LNconyeptgkzZEzAY= +knative.dev/networking v0.0.0-20260317015751-91b576b3d619/go.mod h1:0UAbiLzpmMyhpjWVwRo9vYEWPKGyY6PM2VCKQkBpXE4= +knative.dev/pkg v0.0.0-20260319144801-8c68e18a5cc7 h1:CGvCs59CA7mO81TrJpwxD0dLEpWVhfCRyjfHmsP1c6I= +knative.dev/pkg v0.0.0-20260319144801-8c68e18a5cc7/go.mod h1:RdLk2PjzyP79Zsj4no0G8zGHeEq5JzYzP69owy2NiGY= +knative.dev/serving v0.48.1-0.20260318220159-5237de8fe037 h1:lJfAaK2B1M2sDTcW1Vvn2ZVmRK++ohLOKKTwNlr0/5s= +knative.dev/serving v0.48.1-0.20260318220159-5237de8fe037/go.mod h1:bQYwglHKejWgU/8tZvTRgJZD1LG+DD9O/SybqW57Pr8= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= diff --git a/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go b/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go index e8dc7912..7ad6fb44 100644 --- a/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go +++ b/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go @@ -88,6 +88,22 @@ var ( // feature can be disabled by setting the environment variable // GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING to "false". PickFirstWeightedShuffling = boolFromEnv("GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING", true) + + // DisableStrictPathChecking indicates whether strict path checking is + // disabled. This feature can be disabled by setting the environment + // variable GRPC_GO_EXPERIMENTAL_DISABLE_STRICT_PATH_CHECKING to "true". + // + // When strict path checking is enabled, gRPC will reject requests with + // paths that do not conform to the gRPC over HTTP/2 specification found at + // https://github.com/grpc/grpc/blob/master/doc/PROTOCOL-HTTP2.md. + // + // When disabled, gRPC will allow paths that do not contain a leading slash. + // Enabling strict path checking is recommended for security reasons, as it + // prevents potential path traversal vulnerabilities. + // + // A future release will remove this environment variable, enabling strict + // path checking behavior unconditionally. + DisableStrictPathChecking = boolFromEnv("GRPC_GO_EXPERIMENTAL_DISABLE_STRICT_PATH_CHECKING", false) ) func boolFromEnv(envVar string, def bool) bool { diff --git a/vendor/google.golang.org/grpc/server.go b/vendor/google.golang.org/grpc/server.go index 1b5cefe8..8efb29a7 100644 --- a/vendor/google.golang.org/grpc/server.go +++ b/vendor/google.golang.org/grpc/server.go @@ -42,6 +42,7 @@ import ( "google.golang.org/grpc/internal" "google.golang.org/grpc/internal/binarylog" "google.golang.org/grpc/internal/channelz" + "google.golang.org/grpc/internal/envconfig" "google.golang.org/grpc/internal/grpcsync" "google.golang.org/grpc/internal/grpcutil" istats "google.golang.org/grpc/internal/stats" @@ -149,6 +150,8 @@ type Server struct { serverWorkerChannel chan func() serverWorkerChannelClose func() + + strictPathCheckingLogEmitted atomic.Bool } type serverOptions struct { @@ -1762,6 +1765,24 @@ func (s *Server) processStreamingRPC(ctx context.Context, stream *transport.Serv return ss.s.WriteStatus(statusOK) } +func (s *Server) handleMalformedMethodName(stream *transport.ServerStream, ti *traceInfo) { + if ti != nil { + ti.tr.LazyLog(&fmtStringer{"Malformed method name %q", []any{stream.Method()}}, true) + ti.tr.SetError() + } + errDesc := fmt.Sprintf("malformed method name: %q", stream.Method()) + if err := stream.WriteStatus(status.New(codes.Unimplemented, errDesc)); err != nil { + if ti != nil { + ti.tr.LazyLog(&fmtStringer{"%v", []any{err}}, true) + ti.tr.SetError() + } + channelz.Warningf(logger, s.channelz, "grpc: Server.handleStream failed to write status: %v", err) + } + if ti != nil { + ti.tr.Finish() + } +} + func (s *Server) handleStream(t transport.ServerTransport, stream *transport.ServerStream) { ctx := stream.Context() ctx = contextWithServer(ctx, s) @@ -1782,26 +1803,30 @@ func (s *Server) handleStream(t transport.ServerTransport, stream *transport.Ser } sm := stream.Method() - if sm != "" && sm[0] == '/' { + if sm == "" { + s.handleMalformedMethodName(stream, ti) + return + } + if sm[0] != '/' { + // TODO(easwars): Add a link to the CVE in the below log messages once + // published. + if envconfig.DisableStrictPathChecking { + if old := s.strictPathCheckingLogEmitted.Swap(true); !old { + channelz.Warningf(logger, s.channelz, "grpc: Server.handleStream received malformed method name %q. Allowing it because the environment variable GRPC_GO_EXPERIMENTAL_DISABLE_STRICT_PATH_CHECKING is set to true, but this option will be removed in a future release.", sm) + } + } else { + if old := s.strictPathCheckingLogEmitted.Swap(true); !old { + channelz.Warningf(logger, s.channelz, "grpc: Server.handleStream rejected malformed method name %q. To temporarily allow such requests, set the environment variable GRPC_GO_EXPERIMENTAL_DISABLE_STRICT_PATH_CHECKING to true. Note that this is not recommended as it may allow requests to bypass security policies.", sm) + } + s.handleMalformedMethodName(stream, ti) + return + } + } else { sm = sm[1:] } pos := strings.LastIndex(sm, "/") if pos == -1 { - if ti != nil { - ti.tr.LazyLog(&fmtStringer{"Malformed method name %q", []any{sm}}, true) - ti.tr.SetError() - } - errDesc := fmt.Sprintf("malformed method name: %q", stream.Method()) - if err := stream.WriteStatus(status.New(codes.Unimplemented, errDesc)); err != nil { - if ti != nil { - ti.tr.LazyLog(&fmtStringer{"%v", []any{err}}, true) - ti.tr.SetError() - } - channelz.Warningf(logger, s.channelz, "grpc: Server.handleStream failed to write status: %v", err) - } - if ti != nil { - ti.tr.Finish() - } + s.handleMalformedMethodName(stream, ti) return } service := sm[:pos] diff --git a/vendor/google.golang.org/grpc/version.go b/vendor/google.golang.org/grpc/version.go index f9da6c6c..76c2eed7 100644 --- a/vendor/google.golang.org/grpc/version.go +++ b/vendor/google.golang.org/grpc/version.go @@ -19,4 +19,4 @@ package grpc // Version is the current grpc version. -const Version = "1.79.2" +const Version = "1.79.3" diff --git a/vendor/modules.txt b/vendor/modules.txt index a162b6d5..3642b926 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -382,7 +382,7 @@ google.golang.org/genproto/googleapis/api/httpbody ## explicit; go 1.24.0 google.golang.org/genproto/googleapis/rpc/errdetails google.golang.org/genproto/googleapis/rpc/status -# google.golang.org/grpc v1.79.2 +# google.golang.org/grpc v1.79.3 ## explicit; go 1.24.0 google.golang.org/grpc google.golang.org/grpc/attributes @@ -909,10 +909,10 @@ k8s.io/utils/lru k8s.io/utils/net k8s.io/utils/ptr k8s.io/utils/trace -# knative.dev/hack v0.0.0-20260310014051-c448fdb867e2 +# knative.dev/hack v0.0.0-20260318014029-7eede7fdcbad ## explicit; go 1.24 knative.dev/hack -# knative.dev/networking v0.0.0-20260313010219-0055e9277729 +# knative.dev/networking v0.0.0-20260317015751-91b576b3d619 ## explicit; go 1.25.0 knative.dev/networking/pkg/apis/networking knative.dev/networking/pkg/apis/networking/v1alpha1 @@ -922,7 +922,7 @@ knative.dev/networking/pkg/http knative.dev/networking/pkg/http/header knative.dev/networking/pkg/http/proxy knative.dev/networking/pkg/http/stats -# knative.dev/pkg v0.0.0-20260316154451-5d1c12d99335 +# knative.dev/pkg v0.0.0-20260319144801-8c68e18a5cc7 ## explicit; go 1.25.0 knative.dev/pkg/apis knative.dev/pkg/apis/duck @@ -962,7 +962,7 @@ knative.dev/pkg/signals knative.dev/pkg/system knative.dev/pkg/tracker knative.dev/pkg/websocket -# knative.dev/serving v0.48.1-0.20260316224151-10d950c3a0d7 +# knative.dev/serving v0.48.1-0.20260318220159-5237de8fe037 ## explicit; go 1.25.0 knative.dev/serving/pkg/activator knative.dev/serving/pkg/apis/autoscaling