diff --git a/go.mod b/go.mod index ebb1b2769..e121def20 100644 --- a/go.mod +++ b/go.mod @@ -20,12 +20,12 @@ require ( k8s.io/apimachinery v0.35.2 k8s.io/client-go v0.35.2 k8s.io/code-generator v0.35.2 - knative.dev/caching v0.0.0-20260317014950-408629a8fd29 - knative.dev/eventing v0.48.1-0.20260316031422-ce3fe6b62f97 - knative.dev/hack v0.0.0-20260310014051-c448fdb867e2 - knative.dev/pkg v0.0.0-20260317082650-91e176852006 - knative.dev/reconciler-test v0.0.0-20260317021952-1e70e7c280f2 - knative.dev/serving v0.48.1-0.20260317123251-fe4c325b7af9 + knative.dev/caching v0.0.0-20260318014239-0201ecf9e8f3 + knative.dev/eventing v0.48.1-0.20260318123800-cb8edb94867e + knative.dev/hack v0.0.0-20260318014029-7eede7fdcbad + knative.dev/pkg v0.0.0-20260319144801-8c68e18a5cc7 + knative.dev/reconciler-test v0.0.0-20260318133702-158b98a68b18 + knative.dev/serving v0.48.1-0.20260318220159-5237de8fe037 sigs.k8s.io/yaml v1.6.0 ) @@ -150,7 +150,7 @@ require ( google.golang.org/genproto v0.0.0-20240903143218-8af14fe29dc1 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20260209200024-4cfbd4190f57 // indirect - google.golang.org/grpc v1.79.2 // indirect + google.golang.org/grpc v1.79.3 // indirect google.golang.org/protobuf v1.36.11 // indirect gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect @@ -162,7 +162,7 @@ require ( k8s.io/klog/v2 v2.130.1 // indirect k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect - knative.dev/networking v0.0.0-20260316020026-a339c355a2b2 // indirect + knative.dev/networking v0.0.0-20260317015751-91b576b3d619 // indirect sigs.k8s.io/controller-runtime v0.19.0 // indirect sigs.k8s.io/gateway-api v1.1.0 // indirect sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect diff --git a/go.sum b/go.sum index e33229908..a18c7d83a 100644 --- a/go.sum +++ b/go.sum @@ -1599,8 +1599,8 @@ google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACu google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI= google.golang.org/grpc v1.51.0/go.mod h1:wgNDFcnuBGmxLKI/qn4T+m5BtEBYXJPvibbUPsAIPww= -google.golang.org/grpc v1.79.2 h1:fRMD94s2tITpyJGtBBn7MkMseNpOZU8ZxgC3MMBaXRU= -google.golang.org/grpc v1.79.2/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ= +google.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE= +google.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= @@ -1714,20 +1714,20 @@ k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/ k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck= k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -knative.dev/caching v0.0.0-20260317014950-408629a8fd29 h1:uxOxwL84CKl10MflLPV+fErkvVz8LW14ug9u5/SEzl0= -knative.dev/caching v0.0.0-20260317014950-408629a8fd29/go.mod h1:P61LpKUA6h0IeWjWwGwNimd2teheWbgSGsyNIF/tHK4= -knative.dev/eventing v0.48.1-0.20260316031422-ce3fe6b62f97 h1:igxNyYW2+LxPspTqGpMH7Z+Qp1TqbYDkyiWtyHJjWK8= -knative.dev/eventing v0.48.1-0.20260316031422-ce3fe6b62f97/go.mod h1:UR5qyT/4a68s4HJ+ZEourVWJ7pS7um8PCW4COjeOyxE= -knative.dev/hack v0.0.0-20260310014051-c448fdb867e2 h1:b35SGLEp03D8oGf8mE9HBt3yfNgYpAK0fw46hFXs9w4= -knative.dev/hack v0.0.0-20260310014051-c448fdb867e2/go.mod h1:L5RzHgbvam0u8QFHfzCX6MKxu/a/gIGEdaRBqNiVbl0= -knative.dev/networking v0.0.0-20260316020026-a339c355a2b2 h1:UNzCI424xvyYD0Ii2Qzq4fmeSPFyhd3N3pbB6pTbxec= -knative.dev/networking v0.0.0-20260316020026-a339c355a2b2/go.mod h1:sNxNqkf3iMyBy0WOlicarFowbxhg14/g+BCmnx9Z6RQ= -knative.dev/pkg v0.0.0-20260317082650-91e176852006 h1:kigmOSaEWOddCfoyH1+Mx0w1kwnZrl3CbPAN+9/+Kx4= -knative.dev/pkg v0.0.0-20260317082650-91e176852006/go.mod h1:o/XS1E/hYh9IR8deEEiJG4kKtQfqnf9Gwt5bwp2x4AU= -knative.dev/reconciler-test v0.0.0-20260317021952-1e70e7c280f2 h1:Dp24gX5whQUMa0GtYuVyG6Kmx2c6Owmru20oymw5Fug= -knative.dev/reconciler-test v0.0.0-20260317021952-1e70e7c280f2/go.mod h1:kOX2KvO14S/49lqzqBHdw9RMd6PAXviPbRhCFTK9eOo= -knative.dev/serving v0.48.1-0.20260317123251-fe4c325b7af9 h1:XonUo+HlKKzE0rUL/TgRveDRf0rr5v/NsKJxtn9w724= -knative.dev/serving v0.48.1-0.20260317123251-fe4c325b7af9/go.mod h1:ZGJ7vuvaxklMnfNPgq0LOwI/zTJDcbdK64KWnZd69Z8= +knative.dev/caching v0.0.0-20260318014239-0201ecf9e8f3 h1:yUKRxYHWvid3PUgEB2C+N3aVxtpQwUWWE+oA6zS/hHI= +knative.dev/caching v0.0.0-20260318014239-0201ecf9e8f3/go.mod h1:P61LpKUA6h0IeWjWwGwNimd2teheWbgSGsyNIF/tHK4= +knative.dev/eventing v0.48.1-0.20260318123800-cb8edb94867e h1:Fl7sJs/Z3fozCQVpLg7r7OGVGXJa6Xx1ZjBBH4p/xLM= +knative.dev/eventing v0.48.1-0.20260318123800-cb8edb94867e/go.mod h1:h9JayEpHILt+NMiQ0KWqs9Bfu1hJeyYO04Ak41ZJ3U8= +knative.dev/hack v0.0.0-20260318014029-7eede7fdcbad h1:yH957Dv5HrPgllwTs7e1wvCKcjg/PC0QPQGEWkK7QFw= +knative.dev/hack v0.0.0-20260318014029-7eede7fdcbad/go.mod h1:L5RzHgbvam0u8QFHfzCX6MKxu/a/gIGEdaRBqNiVbl0= +knative.dev/networking v0.0.0-20260317015751-91b576b3d619 h1:Ff71TIn4yIVTWLrDF/SyN0KEJ1LNconyeptgkzZEzAY= +knative.dev/networking v0.0.0-20260317015751-91b576b3d619/go.mod h1:0UAbiLzpmMyhpjWVwRo9vYEWPKGyY6PM2VCKQkBpXE4= +knative.dev/pkg v0.0.0-20260319144801-8c68e18a5cc7 h1:CGvCs59CA7mO81TrJpwxD0dLEpWVhfCRyjfHmsP1c6I= +knative.dev/pkg v0.0.0-20260319144801-8c68e18a5cc7/go.mod h1:RdLk2PjzyP79Zsj4no0G8zGHeEq5JzYzP69owy2NiGY= +knative.dev/reconciler-test v0.0.0-20260318133702-158b98a68b18 h1:3R5YMPEpXf940FAbA822QKOENUdNLQgzNL/YynIvGbQ= +knative.dev/reconciler-test v0.0.0-20260318133702-158b98a68b18/go.mod h1:kOX2KvO14S/49lqzqBHdw9RMd6PAXviPbRhCFTK9eOo= +knative.dev/serving v0.48.1-0.20260318220159-5237de8fe037 h1:lJfAaK2B1M2sDTcW1Vvn2ZVmRK++ohLOKKTwNlr0/5s= +knative.dev/serving v0.48.1-0.20260318220159-5237de8fe037/go.mod h1:bQYwglHKejWgU/8tZvTRgJZD1LG+DD9O/SybqW57Pr8= nhooyr.io/websocket v1.8.6/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0= pgregory.net/rapid v1.1.0 h1:CMa0sjHSru3puNx+J0MIAuiiEV4N0qj8/cMWGBBCsjw= pgregory.net/rapid v1.1.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04= diff --git a/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go b/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go index e8dc79129..7ad6fb44c 100644 --- a/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go +++ b/vendor/google.golang.org/grpc/internal/envconfig/envconfig.go @@ -88,6 +88,22 @@ var ( // feature can be disabled by setting the environment variable // GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING to "false". PickFirstWeightedShuffling = boolFromEnv("GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING", true) + + // DisableStrictPathChecking indicates whether strict path checking is + // disabled. This feature can be disabled by setting the environment + // variable GRPC_GO_EXPERIMENTAL_DISABLE_STRICT_PATH_CHECKING to "true". + // + // When strict path checking is enabled, gRPC will reject requests with + // paths that do not conform to the gRPC over HTTP/2 specification found at + // https://github.com/grpc/grpc/blob/master/doc/PROTOCOL-HTTP2.md. + // + // When disabled, gRPC will allow paths that do not contain a leading slash. + // Enabling strict path checking is recommended for security reasons, as it + // prevents potential path traversal vulnerabilities. + // + // A future release will remove this environment variable, enabling strict + // path checking behavior unconditionally. + DisableStrictPathChecking = boolFromEnv("GRPC_GO_EXPERIMENTAL_DISABLE_STRICT_PATH_CHECKING", false) ) func boolFromEnv(envVar string, def bool) bool { diff --git a/vendor/google.golang.org/grpc/server.go b/vendor/google.golang.org/grpc/server.go index 1b5cefe81..8efb29a7b 100644 --- a/vendor/google.golang.org/grpc/server.go +++ b/vendor/google.golang.org/grpc/server.go @@ -42,6 +42,7 @@ import ( "google.golang.org/grpc/internal" "google.golang.org/grpc/internal/binarylog" "google.golang.org/grpc/internal/channelz" + "google.golang.org/grpc/internal/envconfig" "google.golang.org/grpc/internal/grpcsync" "google.golang.org/grpc/internal/grpcutil" istats "google.golang.org/grpc/internal/stats" @@ -149,6 +150,8 @@ type Server struct { serverWorkerChannel chan func() serverWorkerChannelClose func() + + strictPathCheckingLogEmitted atomic.Bool } type serverOptions struct { @@ -1762,6 +1765,24 @@ func (s *Server) processStreamingRPC(ctx context.Context, stream *transport.Serv return ss.s.WriteStatus(statusOK) } +func (s *Server) handleMalformedMethodName(stream *transport.ServerStream, ti *traceInfo) { + if ti != nil { + ti.tr.LazyLog(&fmtStringer{"Malformed method name %q", []any{stream.Method()}}, true) + ti.tr.SetError() + } + errDesc := fmt.Sprintf("malformed method name: %q", stream.Method()) + if err := stream.WriteStatus(status.New(codes.Unimplemented, errDesc)); err != nil { + if ti != nil { + ti.tr.LazyLog(&fmtStringer{"%v", []any{err}}, true) + ti.tr.SetError() + } + channelz.Warningf(logger, s.channelz, "grpc: Server.handleStream failed to write status: %v", err) + } + if ti != nil { + ti.tr.Finish() + } +} + func (s *Server) handleStream(t transport.ServerTransport, stream *transport.ServerStream) { ctx := stream.Context() ctx = contextWithServer(ctx, s) @@ -1782,26 +1803,30 @@ func (s *Server) handleStream(t transport.ServerTransport, stream *transport.Ser } sm := stream.Method() - if sm != "" && sm[0] == '/' { + if sm == "" { + s.handleMalformedMethodName(stream, ti) + return + } + if sm[0] != '/' { + // TODO(easwars): Add a link to the CVE in the below log messages once + // published. + if envconfig.DisableStrictPathChecking { + if old := s.strictPathCheckingLogEmitted.Swap(true); !old { + channelz.Warningf(logger, s.channelz, "grpc: Server.handleStream received malformed method name %q. Allowing it because the environment variable GRPC_GO_EXPERIMENTAL_DISABLE_STRICT_PATH_CHECKING is set to true, but this option will be removed in a future release.", sm) + } + } else { + if old := s.strictPathCheckingLogEmitted.Swap(true); !old { + channelz.Warningf(logger, s.channelz, "grpc: Server.handleStream rejected malformed method name %q. To temporarily allow such requests, set the environment variable GRPC_GO_EXPERIMENTAL_DISABLE_STRICT_PATH_CHECKING to true. Note that this is not recommended as it may allow requests to bypass security policies.", sm) + } + s.handleMalformedMethodName(stream, ti) + return + } + } else { sm = sm[1:] } pos := strings.LastIndex(sm, "/") if pos == -1 { - if ti != nil { - ti.tr.LazyLog(&fmtStringer{"Malformed method name %q", []any{sm}}, true) - ti.tr.SetError() - } - errDesc := fmt.Sprintf("malformed method name: %q", stream.Method()) - if err := stream.WriteStatus(status.New(codes.Unimplemented, errDesc)); err != nil { - if ti != nil { - ti.tr.LazyLog(&fmtStringer{"%v", []any{err}}, true) - ti.tr.SetError() - } - channelz.Warningf(logger, s.channelz, "grpc: Server.handleStream failed to write status: %v", err) - } - if ti != nil { - ti.tr.Finish() - } + s.handleMalformedMethodName(stream, ti) return } service := sm[:pos] diff --git a/vendor/google.golang.org/grpc/version.go b/vendor/google.golang.org/grpc/version.go index f9da6c6ca..76c2eed77 100644 --- a/vendor/google.golang.org/grpc/version.go +++ b/vendor/google.golang.org/grpc/version.go @@ -19,4 +19,4 @@ package grpc // Version is the current grpc version. -const Version = "1.79.2" +const Version = "1.79.3" diff --git a/vendor/modules.txt b/vendor/modules.txt index 82b6f4b9d..4082be267 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -783,7 +783,7 @@ google.golang.org/genproto/googleapis/api/httpbody google.golang.org/genproto/googleapis/rpc/code google.golang.org/genproto/googleapis/rpc/errdetails google.golang.org/genproto/googleapis/rpc/status -# google.golang.org/grpc v1.79.2 +# google.golang.org/grpc v1.79.3 ## explicit; go 1.24.0 google.golang.org/grpc google.golang.org/grpc/attributes @@ -1506,11 +1506,11 @@ k8s.io/utils/net k8s.io/utils/pointer k8s.io/utils/ptr k8s.io/utils/trace -# knative.dev/caching v0.0.0-20260317014950-408629a8fd29 +# knative.dev/caching v0.0.0-20260318014239-0201ecf9e8f3 ## explicit; go 1.25.0 knative.dev/caching/pkg/apis/caching knative.dev/caching/pkg/apis/caching/v1alpha1 -# knative.dev/eventing v0.48.1-0.20260316031422-ce3fe6b62f97 +# knative.dev/eventing v0.48.1-0.20260318123800-cb8edb94867e ## explicit; go 1.25.0 knative.dev/eventing/cmd/heartbeats knative.dev/eventing/pkg/apis @@ -1603,10 +1603,10 @@ knative.dev/eventing/test/upgrade/prober/wathola/fetcher knative.dev/eventing/test/upgrade/prober/wathola/forwarder knative.dev/eventing/test/upgrade/prober/wathola/receiver knative.dev/eventing/test/upgrade/prober/wathola/sender -# knative.dev/hack v0.0.0-20260310014051-c448fdb867e2 +# knative.dev/hack v0.0.0-20260318014029-7eede7fdcbad ## explicit; go 1.24 knative.dev/hack -# knative.dev/networking v0.0.0-20260316020026-a339c355a2b2 +# knative.dev/networking v0.0.0-20260317015751-91b576b3d619 ## explicit; go 1.25.0 knative.dev/networking/pkg/apis/networking knative.dev/networking/pkg/apis/networking/v1alpha1 @@ -1617,7 +1617,7 @@ knative.dev/networking/pkg/client/clientset/versioned/typed/networking/v1alpha1 knative.dev/networking/pkg/config knative.dev/networking/pkg/http/header knative.dev/networking/pkg/ingress -# knative.dev/pkg v0.0.0-20260317082650-91e176852006 +# knative.dev/pkg v0.0.0-20260319144801-8c68e18a5cc7 ## explicit; go 1.25.0 knative.dev/pkg/apiextensions/storageversion knative.dev/pkg/apiextensions/storageversion/cmd/migrate @@ -1709,7 +1709,7 @@ knative.dev/pkg/webhook knative.dev/pkg/webhook/certificates knative.dev/pkg/webhook/certificates/resources knative.dev/pkg/webhook/resourcesemantics/conversion -# knative.dev/reconciler-test v0.0.0-20260317021952-1e70e7c280f2 +# knative.dev/reconciler-test v0.0.0-20260318133702-158b98a68b18 ## explicit; go 1.25.0 knative.dev/reconciler-test/cmd/eventshub knative.dev/reconciler-test/pkg/environment @@ -1738,7 +1738,7 @@ knative.dev/reconciler-test/pkg/resources/service knative.dev/reconciler-test/pkg/resources/serviceaccount knative.dev/reconciler-test/pkg/state knative.dev/reconciler-test/resources/certificate -# knative.dev/serving v0.48.1-0.20260317123251-fe4c325b7af9 +# knative.dev/serving v0.48.1-0.20260318220159-5237de8fe037 ## explicit; go 1.25.0 knative.dev/serving/pkg/apis/autoscaling knative.dev/serving/pkg/apis/autoscaling/v1alpha1