mirror of
https://github.com/cloudnative-pg/plugin-barman-cloud.git
synced 2026-07-06 17:52:21 +02:00
Some checks failed
release-please / release-please (push) Failing after 5s
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [google.golang.org/grpc](https://redirect.github.com/grpc/grpc-go) | `v1.79.2` → `v1.79.3` |  |  | ### GitHub Vulnerability Alerts #### [CVE-2026-33186](https://redirect.github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3) ### Impact _What kind of vulnerability is it? Who is impacted?_ It is an **Authorization Bypass** resulting from **Improper Input Validation** of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. **Who is impacted?** This affects gRPC-Go servers that meet both of the following criteria: 1. They use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`. 2. Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. ### Patches _Has the problem been patched? What versions should users upgrade to?_ Yes, the issue has been patched. The fix ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. Users should upgrade to the following versions (or newer): * **v1.79.3** * The latest **master** branch. It is recommended that all users employing path-based authorization (especially `grpc/authz`) upgrade as soon as the patch is available in a tagged release. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: #### 1. Use a Validating Interceptor (Recommended Mitigation) Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs: ```go func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) { if info.FullMethod == "" || info.FullMethod[0] != '/' { return nil, status.Errorf(codes.Unimplemented, "malformed method name") } return handler(ctx, req) } // Ensure this is the FIRST interceptor in your chain s := grpc.NewServer( grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor), ) ``` #### 2. Infrastructure-Level Normalization If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the `:path` header does not start with a leading slash. #### 3. Policy Hardening Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs. --- ### Release Notes <details> <summary>grpc/grpc-go (google.golang.org/grpc)</summary> ### [`v1.79.3`](https://redirect.github.com/grpc/grpc-go/releases/tag/v1.79.3): Release 1.79.3 [Compare Source](https://redirect.github.com/grpc/grpc-go/compare/v1.79.2...v1.79.3) ### Security - server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like `grpc/authz`. Any request with a non-canonical path is now immediately rejected with an `Unimplemented` error. ([#​8981](https://redirect.github.com/grpc/grpc-go/issues/8981)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Never, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/cloudnative-pg/plugin-barman-cloud). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42Ni40IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXV0b21hdGVkIiwibm8taXNzdWUiXX0=--> Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
142 lines
6.6 KiB
Modula-2
142 lines
6.6 KiB
Modula-2
module github.com/cloudnative-pg/plugin-barman-cloud
|
|
|
|
go 1.25.0
|
|
|
|
toolchain go1.26.1
|
|
|
|
require (
|
|
github.com/cert-manager/cert-manager v1.19.4
|
|
github.com/cloudnative-pg/api v1.28.1
|
|
github.com/cloudnative-pg/barman-cloud v0.5.0
|
|
github.com/cloudnative-pg/cloudnative-pg v1.28.1
|
|
github.com/cloudnative-pg/cnpg-i v0.3.1
|
|
github.com/cloudnative-pg/cnpg-i-machinery v0.4.2
|
|
github.com/cloudnative-pg/machinery v0.3.3
|
|
github.com/onsi/ginkgo/v2 v2.28.1
|
|
github.com/onsi/gomega v1.39.1
|
|
github.com/spf13/cobra v1.10.2
|
|
github.com/spf13/viper v1.21.0
|
|
google.golang.org/grpc v1.79.3
|
|
gopkg.in/yaml.v3 v3.0.1
|
|
k8s.io/api v0.35.2
|
|
k8s.io/apiextensions-apiserver v0.35.2
|
|
k8s.io/apimachinery v0.35.2
|
|
k8s.io/client-go v0.35.2
|
|
k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2
|
|
sigs.k8s.io/controller-runtime v0.23.3
|
|
sigs.k8s.io/kustomize/api v0.21.1
|
|
sigs.k8s.io/kustomize/kyaml v0.21.1
|
|
)
|
|
|
|
require (
|
|
cel.dev/expr v0.25.1 // indirect
|
|
github.com/Masterminds/semver/v3 v3.4.0 // indirect
|
|
github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
|
|
github.com/beorn7/perks v1.0.1 // indirect
|
|
github.com/blang/semver/v4 v4.0.0 // indirect
|
|
github.com/cenkalti/backoff/v5 v5.0.3 // indirect
|
|
github.com/cespare/xxhash/v2 v2.3.0 // indirect
|
|
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
|
|
github.com/emicklei/go-restful/v3 v3.13.0 // indirect
|
|
github.com/evanphx/json-patch/v5 v5.9.11 // indirect
|
|
github.com/felixge/httpsnoop v1.0.4 // indirect
|
|
github.com/fsnotify/fsnotify v1.9.0 // indirect
|
|
github.com/fxamacker/cbor/v2 v2.9.0 // indirect
|
|
github.com/go-errors/errors v1.5.1 // indirect
|
|
github.com/go-logr/logr v1.4.3 // indirect
|
|
github.com/go-logr/stdr v1.2.2 // indirect
|
|
github.com/go-logr/zapr v1.3.0 // indirect
|
|
github.com/go-openapi/jsonpointer v0.22.4 // indirect
|
|
github.com/go-openapi/jsonreference v0.21.4 // indirect
|
|
github.com/go-openapi/swag v0.25.4 // indirect
|
|
github.com/go-openapi/swag/cmdutils v0.25.4 // indirect
|
|
github.com/go-openapi/swag/conv v0.25.4 // indirect
|
|
github.com/go-openapi/swag/fileutils v0.25.4 // indirect
|
|
github.com/go-openapi/swag/jsonname v0.25.4 // indirect
|
|
github.com/go-openapi/swag/jsonutils v0.25.4 // indirect
|
|
github.com/go-openapi/swag/loading v0.25.4 // indirect
|
|
github.com/go-openapi/swag/mangling v0.25.4 // indirect
|
|
github.com/go-openapi/swag/netutils v0.25.4 // indirect
|
|
github.com/go-openapi/swag/stringutils v0.25.4 // indirect
|
|
github.com/go-openapi/swag/typeutils v0.25.4 // indirect
|
|
github.com/go-openapi/swag/yamlutils v0.25.4 // indirect
|
|
github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
|
|
github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
|
|
github.com/google/btree v1.1.3 // indirect
|
|
github.com/google/cel-go v0.26.0 // indirect
|
|
github.com/google/gnostic-models v0.7.1 // indirect
|
|
github.com/google/go-cmp v0.7.0 // indirect
|
|
github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83 // indirect
|
|
github.com/google/uuid v1.6.0 // indirect
|
|
github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
|
|
github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.3 // indirect
|
|
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 // indirect
|
|
github.com/inconshreveable/mousetrap v1.1.0 // indirect
|
|
github.com/json-iterator/go v1.1.12 // indirect
|
|
github.com/kubernetes-csi/external-snapshotter/client/v8 v8.4.0 // indirect
|
|
github.com/lib/pq v1.11.1 // indirect
|
|
github.com/moby/spdystream v0.5.0 // indirect
|
|
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
|
|
github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
|
|
github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
|
|
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
|
|
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
|
|
github.com/pelletier/go-toml/v2 v2.2.4 // indirect
|
|
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
|
|
github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.87.1 // indirect
|
|
github.com/prometheus/client_golang v1.23.2 // indirect
|
|
github.com/prometheus/client_model v0.6.2 // indirect
|
|
github.com/prometheus/common v0.67.4 // indirect
|
|
github.com/prometheus/procfs v0.19.2 // indirect
|
|
github.com/sagikazarmark/locafero v0.11.0 // indirect
|
|
github.com/snorwin/jsonpatch v1.5.0 // indirect
|
|
github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
|
|
github.com/spf13/afero v1.15.0 // indirect
|
|
github.com/spf13/cast v1.10.0 // indirect
|
|
github.com/spf13/pflag v1.0.10 // indirect
|
|
github.com/stoewer/go-strcase v1.3.1 // indirect
|
|
github.com/subosito/gotenv v1.6.0 // indirect
|
|
github.com/thoas/go-funk v0.9.3 // indirect
|
|
github.com/x448/float16 v0.8.4 // indirect
|
|
github.com/xlab/treeprint v1.2.0 // indirect
|
|
go.opentelemetry.io/auto/sdk v1.2.1 // indirect
|
|
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
|
|
go.opentelemetry.io/otel v1.40.0 // indirect
|
|
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 // indirect
|
|
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.37.0 // indirect
|
|
go.opentelemetry.io/otel/metric v1.40.0 // indirect
|
|
go.opentelemetry.io/otel/sdk v1.40.0 // indirect
|
|
go.opentelemetry.io/otel/trace v1.40.0 // indirect
|
|
go.opentelemetry.io/proto/otlp v1.7.0 // indirect
|
|
go.uber.org/multierr v1.11.0 // indirect
|
|
go.uber.org/zap v1.27.1 // indirect
|
|
go.yaml.in/yaml/v2 v2.4.3 // indirect
|
|
go.yaml.in/yaml/v3 v3.0.4 // indirect
|
|
golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 // indirect
|
|
golang.org/x/mod v0.32.0 // indirect
|
|
golang.org/x/net v0.49.0 // indirect
|
|
golang.org/x/oauth2 v0.34.0 // indirect
|
|
golang.org/x/sync v0.19.0 // indirect
|
|
golang.org/x/sys v0.42.0 // indirect
|
|
golang.org/x/term v0.39.0 // indirect
|
|
golang.org/x/text v0.33.0 // indirect
|
|
golang.org/x/time v0.14.0 // indirect
|
|
golang.org/x/tools v0.41.0 // indirect
|
|
gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
|
|
google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 // indirect
|
|
google.golang.org/genproto/googleapis/rpc v0.0.0-20251202230838-ff82c1b0f217 // indirect
|
|
google.golang.org/protobuf v1.36.11 // indirect
|
|
gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
|
|
gopkg.in/inf.v0 v0.9.1 // indirect
|
|
k8s.io/apiserver v0.35.2 // indirect
|
|
k8s.io/component-base v0.35.2 // indirect
|
|
k8s.io/klog/v2 v2.130.1 // indirect
|
|
k8s.io/kube-openapi v0.0.0-20251125145642-4e65d59e963e // indirect
|
|
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.33.0 // indirect
|
|
sigs.k8s.io/gateway-api v1.4.0 // indirect
|
|
sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
|
|
sigs.k8s.io/randfill v1.0.0 // indirect
|
|
sigs.k8s.io/structured-merge-diff/v6 v6.3.2-0.20260122202528-d9cc6641c482 // indirect
|
|
sigs.k8s.io/yaml v1.6.0 // indirect
|
|
)
|