bump github.com/emicklei/go-restful/v3 to v3.11.0

[charles-chenzz]

What type of PR is this?

/kind bug

What this PR does / why we need it:

resolve security vulnerabilities

Which issue(s) this PR fixes:

Fixes #119854

Special notes for your reviewer:

Does this PR introduce a user-facing change?

NONE

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

[k8s-ci-robot]

Please note that we're already in Test Freeze for the release-1.28 branch. This means every merged PR will be automatically fast-forwarded via the periodic ci-fast-forward job to the release branch of the upcoming v1.28.0 release.

Fast forwards are scheduled to happen every 6 hours, whereas the most recent run was: Wed Aug 9 10:32:39 UTC 2023.

[charles-chenzz]

/retest-required

[jiahuif]

The upgrade may not be trivial. Please check codegen, etc, or try to run make update one more time.

/assign @dims

[charles-chenzz]

/test

[k8s-ci-robot]

@charles-chenzz: The /test command needs one or more targets.
The following commands are available to trigger required jobs:

• /test pull-cadvisor-e2e-kubernetes
• /test pull-kubernetes-conformance-kind-ga-only-parallel
• /test pull-kubernetes-coverage-unit
• /test pull-kubernetes-dependencies
• /test pull-kubernetes-dependencies-go-canary
• /test pull-kubernetes-e2e-gce
• /test pull-kubernetes-e2e-gce-100-performance
• /test pull-kubernetes-e2e-gce-big-performance
• /test pull-kubernetes-e2e-gce-canary
• /test pull-kubernetes-e2e-gce-cos
• /test pull-kubernetes-e2e-gce-cos-canary
• /test pull-kubernetes-e2e-gce-cos-no-stage
• /test pull-kubernetes-e2e-gce-network-proxy-http-connect
• /test pull-kubernetes-e2e-gce-scale-performance-manual
• /test pull-kubernetes-e2e-kind
• /test pull-kubernetes-e2e-kind-ipv6
• /test pull-kubernetes-integration
• /test pull-kubernetes-integration-go-canary
• /test pull-kubernetes-kubemark-e2e-gce-scale
• /test pull-kubernetes-node-e2e-containerd
• /test pull-kubernetes-typecheck
• /test pull-kubernetes-unit
• /test pull-kubernetes-unit-go-canary
• /test pull-kubernetes-update
• /test pull-kubernetes-verify
• /test pull-kubernetes-verify-go-canary

The following commands are available to trigger optional jobs:

• /test check-dependency-stats
• /test pull-ci-kubernetes-unit-windows
• /test pull-e2e-gce-cloud-provider-disabled
• /test pull-kubernetes-conformance-image-test
• /test pull-kubernetes-conformance-kind-ga-only
• /test pull-kubernetes-conformance-kind-ipv6-parallel
• /test pull-kubernetes-cos-cgroupv1-containerd-node-e2e
• /test pull-kubernetes-cos-cgroupv1-containerd-node-e2e-features
• /test pull-kubernetes-cos-cgroupv2-containerd-node-e2e
• /test pull-kubernetes-cos-cgroupv2-containerd-node-e2e-eviction
• /test pull-kubernetes-cos-cgroupv2-containerd-node-e2e-features
• /test pull-kubernetes-cos-cgroupv2-containerd-node-e2e-serial
• /test pull-kubernetes-cross
• /test pull-kubernetes-e2e-autoscaling-hpa-cm
• /test pull-kubernetes-e2e-autoscaling-hpa-cpu
• /test pull-kubernetes-e2e-capz-azure-disk
• /test pull-kubernetes-e2e-capz-azure-disk-vmss
• /test pull-kubernetes-e2e-capz-azure-file
• /test pull-kubernetes-e2e-capz-azure-file-vmss
• /test pull-kubernetes-e2e-capz-conformance
• /test pull-kubernetes-e2e-capz-windows-alpha-feature-vpa
• /test pull-kubernetes-e2e-capz-windows-alpha-features
• /test pull-kubernetes-e2e-capz-windows-master
• /test pull-kubernetes-e2e-capz-windows-serial-slow-hpa
• /test pull-kubernetes-e2e-containerd-gce
• /test pull-kubernetes-e2e-ec2
• /test pull-kubernetes-e2e-ec2-conformance
• /test pull-kubernetes-e2e-gce-correctness
• /test pull-kubernetes-e2e-gce-cos-alpha-features
• /test pull-kubernetes-e2e-gce-cos-kubetest2
• /test pull-kubernetes-e2e-gce-csi-serial
• /test pull-kubernetes-e2e-gce-device-plugin-gpu
• /test pull-kubernetes-e2e-gce-kubelet-credential-provider
• /test pull-kubernetes-e2e-gce-network-proxy-grpc
• /test pull-kubernetes-e2e-gce-serial
• /test pull-kubernetes-e2e-gce-storage-disruptive
• /test pull-kubernetes-e2e-gce-storage-slow
• /test pull-kubernetes-e2e-gce-storage-snapshot
• /test pull-kubernetes-e2e-gci-gce-autoscaling
• /test pull-kubernetes-e2e-gci-gce-ingress
• /test pull-kubernetes-e2e-gci-gce-ipvs
• /test pull-kubernetes-e2e-inplace-pod-resize-containerd-main-v2
• /test pull-kubernetes-e2e-kind-alpha-features
• /test pull-kubernetes-e2e-kind-canary
• /test pull-kubernetes-e2e-kind-dual-canary
• /test pull-kubernetes-e2e-kind-ipv6-canary
• /test pull-kubernetes-e2e-kind-ipvs-dual-canary
• /test pull-kubernetes-e2e-kind-kms
• /test pull-kubernetes-e2e-kind-multizone
• /test pull-kubernetes-e2e-kops-aws
• /test pull-kubernetes-e2e-storage-kind-disruptive
• /test pull-kubernetes-e2e-ubuntu-gce-network-policies
• /test pull-kubernetes-integration-eks
• /test pull-kubernetes-kind-dra
• /test pull-kubernetes-kind-json-logging
• /test pull-kubernetes-kind-text-logging
• /test pull-kubernetes-kubemark-e2e-gce-big
• /test pull-kubernetes-linter-hints
• /test pull-kubernetes-local-e2e
• /test pull-kubernetes-node-arm64-e2e-containerd-ec2
• /test pull-kubernetes-node-arm64-e2e-containerd-serial-ec2
• /test pull-kubernetes-node-arm64-ubuntu-serial-gce
• /test pull-kubernetes-node-crio-cgrpv1-evented-pleg-e2e
• /test pull-kubernetes-node-crio-cgrpv2-e2e
• /test pull-kubernetes-node-crio-cgrpv2-e2e-kubetest2
• /test pull-kubernetes-node-crio-e2e
• /test pull-kubernetes-node-crio-e2e-kubetest2
• /test pull-kubernetes-node-e2e-containerd-1-7-dra
• /test pull-kubernetes-node-e2e-containerd-alpha-features
• /test pull-kubernetes-node-e2e-containerd-ec2
• /test pull-kubernetes-node-e2e-containerd-features
• /test pull-kubernetes-node-e2e-containerd-features-kubetest2
• /test pull-kubernetes-node-e2e-containerd-kubetest2
• /test pull-kubernetes-node-e2e-containerd-serial-ec2
• /test pull-kubernetes-node-e2e-containerd-sidecar-containers
• /test pull-kubernetes-node-e2e-containerd-standalone-mode
• /test pull-kubernetes-node-e2e-containerd-standalone-mode-all-alpha
• /test pull-kubernetes-node-e2e-crio-dra
• /test pull-kubernetes-node-kubelet-credential-provider
• /test pull-kubernetes-node-kubelet-serial-containerd
• /test pull-kubernetes-node-kubelet-serial-containerd-alpha-features
• /test pull-kubernetes-node-kubelet-serial-containerd-kubetest2
• /test pull-kubernetes-node-kubelet-serial-containerd-sidecar-containers
• /test pull-kubernetes-node-kubelet-serial-cpu-manager
• /test pull-kubernetes-node-kubelet-serial-cpu-manager-kubetest2
• /test pull-kubernetes-node-kubelet-serial-crio-cgroupv1
• /test pull-kubernetes-node-kubelet-serial-crio-cgroupv2
• /test pull-kubernetes-node-kubelet-serial-hugepages
• /test pull-kubernetes-node-kubelet-serial-memory-manager
• /test pull-kubernetes-node-kubelet-serial-pod-disruption-conditions
• /test pull-kubernetes-node-kubelet-serial-topology-manager
• /test pull-kubernetes-node-kubelet-serial-topology-manager-kubetest2
• /test pull-kubernetes-node-memoryqos-cgrpv2
• /test pull-kubernetes-node-swap-fedora
• /test pull-kubernetes-node-swap-fedora-serial
• /test pull-kubernetes-node-swap-ubuntu-serial
• /test pull-kubernetes-unit-experimental
• /test pull-kubernetes-verify-strict-lint
• /test pull-publishing-bot-validate

Use /test all to run the following jobs that were automatically triggered:

• check-dependency-stats
• pull-kubernetes-conformance-kind-ga-only-parallel
• pull-kubernetes-dependencies
• pull-kubernetes-e2e-ec2
• pull-kubernetes-e2e-ec2-conformance
• pull-kubernetes-e2e-gce
• pull-kubernetes-e2e-kind
• pull-kubernetes-e2e-kind-ipv6
• pull-kubernetes-e2e-kind-kms
• pull-kubernetes-integration
• pull-kubernetes-kind-dra
• pull-kubernetes-linter-hints
• pull-kubernetes-node-e2e-containerd
• pull-kubernetes-node-e2e-containerd-1-7-dra
• pull-kubernetes-node-e2e-crio-dra
• pull-kubernetes-typecheck
• pull-kubernetes-unit
• pull-kubernetes-verify
• pull-kubernetes-verify-strict-lint

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[charles-chenzz]

/test all

[charles-chenzz]

/retest-required

[charles-chenzz]

/test all

[charles-chenzz]

/test pull-kubernetes-node-e2e-containerd-1-7-dra

[charles-chenzz]

/retest-required

[charles-chenzz]

I've bump the dep to v3.11.0. in this commit, go-restful restore the behavior back to v3.9, and luckily we don't need to override a public package var in go-restful to keep the current behavior we rely on, which v3.11.0 also resolve the security issues that they have. and the CI all passed now.

gentle ping @liggitt @dgrisonnet would you take a look at this when you get a chance?
also /cc @dims
(as dims is the deps expert)

[dgrisonnet]

This looks fine to me.

As @charles-chenzz mentionned, the initial concerns about the TrimSlashStrategy changes have been resolve in v3.11.0, since the behavior was reverted to enable the TrimSlashStrategy by default like it used to be in v3.9.0 and prior.

https://github.com/emicklei/go-restful/blob/v3.11.0/route.go#L187-L191

Now that this has been addressed, @liggitt could you please have another look?

[liggitt]

The v3.11.0 release restores slash parsing to be 3.9.0-compatible by default. That has two implications:

1. We can pick it up 🎉
2. The default behavior reintroduces the security issue in go-restful routing / filtering, making the change in v3.10.x to fix that security issue opt-in, rather than opt-out (I agree with this approach, by the way).

To be crystal clear, Kubernetes is not affected at all by the go-restful security issue because we apply authentication / authorization directly to the incoming http.Request object / URL, not using go-restful filters.

The primary motivation for picking up this version update is to silence security scanners incorrectly flagging Kubernetes as impacted by the go-restful vulnerability. If PRISMA-2022-0227 decides to remark 3.11.0+ as vulnerable because the default behavior triggers the go-restful bug, picking up this update will not do anything to silence those scanners.

/lgtm
/approve

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: 4d464b5e8c1113df954194a3984993c4da04f707

[dims]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: charles-chenzz, dims, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [dims,liggitt]
• staging/src/k8s.io/apiextensions-apiserver/OWNERS [dims,liggitt]
• staging/src/k8s.io/apiserver/OWNERS [dims,liggitt]
• staging/src/k8s.io/cli-runtime/OWNERS [dims,liggitt]
• staging/src/k8s.io/client-go/OWNERS [dims,liggitt]
• staging/src/k8s.io/cloud-provider/OWNERS [dims,liggitt]
• staging/src/k8s.io/code-generator/OWNERS [dims,liggitt]
• staging/src/k8s.io/component-base/OWNERS [dims,liggitt]
• staging/src/k8s.io/component-helpers/OWNERS [dims,liggitt]
• staging/src/k8s.io/controller-manager/OWNERS [dims,liggitt]
• staging/src/k8s.io/dynamic-resource-allocation/OWNERS [dims,liggitt]
• staging/src/k8s.io/endpointslice/OWNERS [dims,liggitt]
• staging/src/k8s.io/kms/OWNERS [dims,liggitt]
• staging/src/k8s.io/kube-aggregator/OWNERS [dims,liggitt]
• staging/src/k8s.io/kube-controller-manager/OWNERS [dims,liggitt]
• staging/src/k8s.io/kube-proxy/OWNERS [dims,liggitt]
• staging/src/k8s.io/kube-scheduler/OWNERS [dims,liggitt]
• staging/src/k8s.io/kubectl/OWNERS [dims,liggitt]
• staging/src/k8s.io/kubelet/OWNERS [dims,liggitt]
• staging/src/k8s.io/legacy-cloud-providers/OWNERS [dims,liggitt]
• staging/src/k8s.io/metrics/OWNERS [dims,liggitt]
• staging/src/k8s.io/pod-security-admission/OWNERS [dims,liggitt]
• staging/src/k8s.io/sample-apiserver/OWNERS [dims,liggitt]
• staging/src/k8s.io/sample-cli-plugin/OWNERS [dims,liggitt]
• staging/src/k8s.io/sample-controller/OWNERS [dims,liggitt]
• vendor/OWNERS [dims,liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment