-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bump github.com/emicklei/go-restful/v3 to v3.11.0 #119865
Conversation
Please note that we're already in Test Freeze for the Fast forwards are scheduled to happen every 6 hours, whereas the most recent run was: Wed Aug 9 10:32:39 UTC 2023. |
/retest-required |
The upgrade may not be trivial. Please check codegen, etc, or try to run /assign @dims |
/test |
@charles-chenzz: The
The following commands are available to trigger optional jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test all |
/retest-required |
62216b6
to
409b465
Compare
/test all |
/test pull-kubernetes-node-e2e-containerd-1-7-dra |
/retest-required |
I've bump the dep to v3.11.0. in this commit, go-restful restore the behavior back to v3.9, and luckily we don't need to override a public package var in go-restful to keep the current behavior we rely on, which v3.11.0 also resolve the security issues that they have. and the CI all passed now. gentle ping @liggitt @dgrisonnet would you take a look at this when you get a chance? |
This looks fine to me. As @charles-chenzz mentionned, the initial concerns about the https://github.com/emicklei/go-restful/blob/v3.11.0/route.go#L187-L191 Now that this has been addressed, @liggitt could you please have another look? |
The v3.11.0 release restores slash parsing to be 3.9.0-compatible by default. That has two implications:
To be crystal clear, Kubernetes is not affected at all by the go-restful security issue because we apply authentication / authorization directly to the incoming http.Request object / URL, not using go-restful filters. The primary motivation for picking up this version update is to silence security scanners incorrectly flagging Kubernetes as impacted by the go-restful vulnerability. If PRISMA-2022-0227 decides to remark 3.11.0+ as vulnerable because the default behavior triggers the go-restful bug, picking up this update will not do anything to silence those scanners. /lgtm |
LGTM label has been added. Git tree hash: 4d464b5e8c1113df954194a3984993c4da04f707
|
/lgtm |
What type of PR is this?
/kind bug
What this PR does / why we need it:
resolve security vulnerabilities
Which issue(s) this PR fixes:
Fixes #119854
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: