network-controller-harvester
network-controller-harvester copied to clipboard
Published
20 hours ago •
harvester
harvester
chore(deps): update module go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.44.0 [security] (master)
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp | v0.20.0 -> v0.44.0 |
GitHub Vulnerability Alerts
CVE-2023-45142
Summary
This handler wrapper https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65 out of the box adds labels
http.user_agenthttp.method
that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it.
Details
HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses httpconv.ServerRequest that records every value for HTTP method and User-Agent.
PoC
Send many requests with long randomly generated HTTP methods or/and User agents (e.g. a million) and observe how memory consumption increases during it.
Impact
In order to be affected, the program has to configure a metrics pipeline, use otelhttp.NewHandler wrapper, and does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc.
Others
It is similar to already reported vulnerabilities
- https://github.com/open-telemetry/opentelemetry-go-contrib/security/advisories/GHSA-5r5m-65gx-7vrh (open-telemetry/opentelemetry-go-contrib)
- https://github.com/advisories/GHSA-cg3q-j54f-5p7p (prometheus/client_golang)
Workaround for affected versions
As a workaround to stop being affected otelhttp.WithFilter() can be used, but it requires manual careful configuration to not log certain requests entirely.
For convenience and safe usage of this library, it should by default mark with the label unknown non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.
The other possibility is to disable HTTP metrics instrumentation by passing otelhttp.WithMeterProvider option with noop.NewMeterProvider.
Solution provided by upgrading
In PR https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277, released with package version 0.44.0, the values collected for attribute http.request.method were changed to be restricted to a set of well-known values and other high cardinality attributes were removed.
References
- https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277
- https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.19.0
Release Notes
open-telemetry/opentelemetry-go-contrib (go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp)
v0.24.0
0.24.0 - 2021-09-21
Update dependency on the go.opentelemetry.io/otel project to v1.0.0.
v0.23.0
0.23.0 - 2021-09-09
Added
- Add
WithoutSubSpans,WithRedactedHeaders,WithoutHeaders, andWithInsecureHeadersoptions forotelhttptrace.NewClientTrace. (#879)
Changed
- Split
go.opentelemetry.io/contrib/propagatorsmodule intob3,jaeger,otmodules. (#985) otelmongodbspan attributes, name and span status now conform to specification. (#769)- Migrated EC2 resource detector support from root module
go.opentelemetry.io/contrib/detectors/awsto a separate EC2 resource detector modulego.opentelemetry.io/contrib/detectors/aws/ec2(#1017) - Add
cloud.providerandcloud.platformto AWS detectors. (#1043) otelhttptrace.NewClientTracenow redacts known sensitive headers by default. (#879)
Fixed
- Fix span not marked as error in
otelhttp.TransportwhenRoundTripfails with an error. (#950)
v0.22.0
Added
- Add the
zpagesspan processor. (#894)
Changed
- The
b3.B3type has been removed.b3.New()andb3.WithInjectEncoding(encoding)are added to replace it. (#868)
Fixed
- Fix deadlocks and race conditions in
otelsarama.WrapAsyncProducer. Themessaging.message_idandmessaging.kafka.partitionattributes are now not set if a message was not processed. (#754) (#755) (#881) - Fix
otelsarama.WrapAsyncProducerso that the messages from theErrorschannel contain the originalMetadata. (#754)
v0.21.0
0.21.0 - 2021-06-18
Fixed
- Dockerfile based examples for
otelginandotelmacaron. (#767)
Changed
- Supported minimum version of Go bumped from 1.14 to 1.15. (#787)
- EKS Resource Detector now use the Kubernetes Go client to obtain the ConfigMap. (#813)
Removed
- Remove service name from
otelmongodbconfiguration and span attributes. (#763)
Configuration
📅 Schedule: Branch creation - "" in timezone Asia/Taipei, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
⚠️ Artifact update problem
Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.
♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
- any of the package files in this branch needs updating, or
- the branch becomes conflicted, or
- you click the rebase/retry checkbox if found above, or
- you rename this PR's title to start with "rebase!" to trigger it manually
The artifact failure details are included below:
File name: go.sum
Command failed: go get -d -t ./...
go: -d flag is deprecated. -d=true is a no-op
go: downloading github.com/rancher/wrangler v1.1.1
go: downloading github.com/urfave/cli v1.22.9
go: downloading k8s.io/client-go v0.24.10
go: downloading k8s.io/klog v1.0.0
go: downloading github.com/harvester/harvester v1.1.2-rc8
go: downloading github.com/harvester/webhook v0.1.4
go: downloading github.com/sirupsen/logrus v1.9.0
go: downloading github.com/kubevirt/api v0.54.0
go: downloading k8s.io/api v0.24.10
go: downloading k8s.io/apimachinery v0.24.10
go: downloading github.com/k8snetworkplumbingwg/network-attachment-definition-client v0.0.0-20200331171230-d50e42f2b669
go: downloading github.com/rancher/lasso v0.0.0-20221227210133-6ea88ca2fbcc
go: downloading github.com/vishvananda/netlink v1.2.1-beta.2
go: downloading k8s.io/klog/v2 v2.80.1
go: downloading github.com/cenk/backoff v2.2.1+incompatible
go: downloading github.com/go-ping/ping v0.0.0-20211014180314-6e2b003bffdd
go: downloading github.com/deckarep/golang-set/v2 v2.1.0
go: downloading github.com/insomniacslk/dhcp v0.0.0-20240710054256-ddd8a41251c9
go: downloading github.com/coreos/go-iptables v0.6.0
go: downloading github.com/achanda/go-sysctl v0.0.0-20160222034550-6be7678c45d2
go: downloading github.com/containernetworking/cni v1.1.2
go: downloading github.com/tidwall/sjson v1.2.5
go: downloading github.com/cpuguy83/go-md2man/v2 v2.0.2
go: downloading github.com/imdario/mergo v0.3.12
go: downloading github.com/spf13/pflag v1.0.5
go: downloading golang.org/x/term v0.27.0
go: downloading github.com/kubernetes-csi/external-snapshotter/v2 v2.1.3
go: downloading github.com/longhorn/longhorn-manager v1.3.1
go: downloading github.com/rancher/steve v0.0.0-20221209194631-acf9d31ce0dd
go: downloading github.com/gorilla/mux v1.8.0
go: downloading github.com/rancher/dynamiclistener v0.3.5
go: downloading k8s.io/apiextensions-apiserver v0.24.10
go: downloading golang.org/x/sync v0.10.0
go: downloading golang.org/x/sys v0.28.0
go: downloading golang.org/x/net v0.33.0
go: downloading k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2
go: downloading github.com/pborman/uuid v1.2.1
go: downloading kubevirt.io/containerized-data-importer-api v1.47.0
go: downloading github.com/gogo/protobuf v1.3.2
go: downloading github.com/google/gofuzz v1.2.0
go: downloading sigs.k8s.io/structured-merge-diff/v4 v4.2.3
go: downloading k8s.io/code-generator v0.24.10
go: downloading k8s.io/gengo v0.0.0-20211129171323-c02415ce4185
go: downloading golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d
go: downloading github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
go: downloading github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74
go: downloading github.com/go-logr/logr v1.2.4
go: downloading github.com/google/uuid v1.3.0
go: downloading github.com/golang/protobuf v1.5.4
go: downloading github.com/google/gnostic v0.5.7-v3refs
go: downloading golang.org/x/time v0.3.0
go: downloading github.com/evanphx/json-patch v5.6.0+incompatible
go: downloading github.com/pkg/errors v0.9.1
go: downloading github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923
go: downloading github.com/mdlayher/packet v1.1.2
go: downloading github.com/tidwall/gjson v1.14.2
go: downloading golang.org/x/crypto v0.31.0
go: downloading kubevirt.io/kubevirt v0.54.0
go: downloading github.com/russross/blackfriday/v2 v2.1.0
go: downloading k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1
go: downloading github.com/k3s-io/helm-controller v0.11.7
go: downloading github.com/kubernetes/dashboard v1.10.1
go: downloading github.com/rancher/rancher v0.0.0-20230124173128-2207cfed1803
go: downloading github.com/jinzhu/copier v0.3.5
go: downloading sigs.k8s.io/controller-runtime v0.13.1
go: downloading github.com/rancher/apiserver v0.0.0-20230120214941-e88c32739dc7
go: downloading github.com/davecgh/go-spew v1.1.1
go: downloading golang.org/x/oauth2 v0.7.0
go: downloading gopkg.in/inf.v0 v0.9.1
go: downloading kubevirt.io/controller-lifecycle-operator-sdk/api v0.0.0-20220329064328-f3cc58c6ed90
go: downloading sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2
go: downloading github.com/json-iterator/go v1.1.12
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading github.com/prometheus/client_golang v1.12.2
go: downloading golang.org/x/text v0.21.0
go: downloading github.com/ghodss/yaml v1.0.0
go: downloading google.golang.org/protobuf v1.33.0
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading sigs.k8s.io/yaml v1.3.0
go: downloading github.com/google/go-cmp v0.6.0
go: downloading github.com/josharian/native v1.1.0
go: downloading github.com/pierrec/lz4/v4 v4.1.15
go: downloading github.com/mdlayher/socket v0.4.1
go: downloading github.com/tidwall/match v1.1.1
go: downloading github.com/tidwall/pretty v1.2.0
go: downloading github.com/emicklei/go-restful/v3 v3.8.0
go: downloading github.com/go-openapi/jsonreference v0.19.6
go: downloading github.com/go-openapi/swag v0.21.1
go: downloading github.com/banzaicloud/logging-operator/pkg/sdk v0.8.16
go: downloading github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.62.0
go: downloading github.com/rancher/rancher/pkg/apis v0.0.0-20230124173128-2207cfed1803
go: downloading github.com/rancher/system-upgrade-controller/pkg/apis v0.0.0-20210727200656-10b094e30007
go: downloading sigs.k8s.io/cluster-api v1.1.4
go: downloading k8s.io/apiserver v0.24.10
go: downloading github.com/gorilla/websocket v1.5.0
go: downloading github.com/rancher/remotedialer v0.2.6-0.20220624190122-ea57207bf2b8
go: downloading k8s.io/kube-aggregator v0.24.10
go: downloading github.com/openshift/custom-resource-status v1.1.2
go: downloading github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
go: downloading github.com/modern-go/reflect2 v1.0.2
go: downloading golang.org/x/mod v0.17.0
go: downloading github.com/beorn7/perks v1.0.1
go: downloading github.com/cespare/xxhash/v2 v2.2.0
go: downloading github.com/prometheus/client_model v0.3.0
go: downloading github.com/prometheus/common v0.32.1
go: downloading github.com/prometheus/procfs v0.7.3
go: downloading github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
go: downloading github.com/gorilla/handlers v1.5.1
go: downloading github.com/longhorn/go-iscsi-helper v0.0.0-20220805034259-7b59e22574bb
go: downloading github.com/PuerkitoBio/purell v1.1.1
go: downloading github.com/go-openapi/jsonpointer v0.19.5
go: downloading github.com/mailru/easyjson v0.7.7
go: downloading github.com/banzaicloud/operator-tools v0.28.10
go: downloading github.com/spf13/cast v1.5.0
go: downloading github.com/rancher/aks-operator v1.0.7
go: downloading github.com/rancher/eks-operator v1.1.5
go: downloading github.com/rancher/fleet/pkg/apis v0.0.0-20230123175930-d296259590be
go: downloading github.com/rancher/gke-operator v1.1.4
go: downloading github.com/rancher/norman v0.0.0-20221205184727-32ef2e185b99
go: downloading github.com/rancher/rke v1.3.18
go: downloading k8s.io/component-base v0.24.10
go: downloading github.com/rancher/kubernetes-provider-detector v0.1.5
go: downloading github.com/adrg/xdg v0.3.1
go: downloading sigs.k8s.io/cli-utils v0.27.0
go: downloading google.golang.org/appengine v1.6.7
go: downloading github.com/matttproud/golang_protobuf_extensions v1.0.4
go: downloading github.com/felixge/httpsnoop v1.0.3
go: downloading github.com/c9s/goprocinfo v0.0.0-20210130143923-c95fcf8c64a8
go: downloading github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578
go: downloading github.com/josharian/intern v1.0.0
go: downloading emperror.dev/errors v0.8.0
go: downloading github.com/iancoleman/orderedmap v0.2.0
go: downloading github.com/blang/semver v3.5.1+incompatible
go: downloading github.com/onsi/gomega v1.20.1
go: downloading github.com/blang/semver/v4 v4.0.0
go: downloading go.opentelemetry.io/otel/trace v0.20.0
go: downloading go.opentelemetry.io/otel v0.20.0
go: downloading github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f
go: downloading go.uber.org/multierr v1.6.0
go: downloading gomodules.xyz/jsonpatch/v2 v2.2.0
go: downloading github.com/gobuffalo/flect v0.2.5
go: downloading github.com/evanphx/json-patch/v5 v5.6.0
go: downloading google.golang.org/grpc v1.56.3
go: downloading sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.35
go: downloading go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0
go: downloading go.opentelemetry.io/contrib v0.20.0
go: downloading go.opentelemetry.io/otel/exporters/otlp v0.20.0
go: downloading go.opentelemetry.io/otel/sdk v0.20.0
go: downloading go.uber.org/atomic v1.8.0
go: downloading github.com/fsnotify/fsnotify v1.5.4
go: downloading go.opentelemetry.io/otel/metric v1.18.0
go: downloading go.opentelemetry.io/otel/sdk/export/metric v0.20.0
go: downloading go.opentelemetry.io/otel/sdk/metric v0.20.0
go: downloading go.opentelemetry.io/proto/otlp v0.7.0
go: downloading google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1
go: downloading github.com/grpc-ecosystem/grpc-gateway v1.16.0
go: downloading go.opentelemetry.io v0.1.0
go: downloading go.opentelemetry.io/otel/metric v1.34.0
go: github.com/harvester/harvester-network-controller/cmd/webhook imports
github.com/harvester/harvester/pkg/indexeres imports
github.com/rancher/steve/pkg/server imports
github.com/rancher/steve/pkg/auth imports
k8s.io/apiserver/plugin/pkg/authenticator/token/webhook imports
k8s.io/apiserver/pkg/util/webhook imports
k8s.io/component-base/traces imports
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp imports
go.opentelemetry.io/otel/semconv/v1.17.0: cannot find module providing package go.opentelemetry.io/otel/semconv/v1.17.0
go: github.com/harvester/harvester-network-controller/cmd/webhook imports
github.com/harvester/harvester/pkg/indexeres imports
github.com/rancher/steve/pkg/server imports
github.com/rancher/steve/pkg/auth imports
k8s.io/apiserver/plugin/pkg/authenticator/token/webhook imports
k8s.io/apiserver/pkg/util/webhook imports
k8s.io/component-base/traces imports
go.opentelemetry.io/otel/exporters/otlp imports
go.opentelemetry.io/otel/sdk/export/metric imports
go.opentelemetry.io/otel/metric/number: cannot find module providing package go.opentelemetry.io/otel/metric/number
go: github.com/harvester/harvester-network-controller/cmd/webhook imports
github.com/harvester/harvester/pkg/indexeres imports
github.com/rancher/steve/pkg/server imports
github.com/rancher/steve/pkg/auth imports
k8s.io/apiserver/plugin/pkg/authenticator/token/webhook imports
k8s.io/apiserver/pkg/util/webhook imports
k8s.io/component-base/traces imports
go.opentelemetry.io/otel/exporters/otlp imports
go.opentelemetry.io/otel/sdk/metric/controller/basic imports
go.opentelemetry.io/otel/metric/registry: cannot find module providing package go.opentelemetry.io/otel/metric/registry
To fix the error in https://github.com/harvester/network-controller-harvester/pull/135#issuecomment-2560756049, needs to update the go.opentelemetry.io/otel, go.opentelemetry.io/otel/sdk, go.opentelemetry.io/otel/trace to >=v.1.20
But it will run into the compile error. Will find out the cause to fix
# go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform
vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform/instrumentation.go:22:63: undefined: commonpb.InstrumentationScope
vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform/instrumentation.go:26:19: undefined: commonpb.InstrumentationScope
vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform/span.go:39:31: undefined: tracepb.ScopeSpans
vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform/span.go:55:25: undefined: tracepb.ScopeSpans
vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform/span.go:70:5: unknown field ScopeSpans in struct literal of type "go.opentelemetry.io/proto/otlp/trace/v1".ResourceSpans
vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform/span.go:70:28: undefined: tracepb.ScopeSpans
vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform/span.go:71:5: unknown field SchemaUrl in struct literal of type "go.opentelemetry.io/proto/otlp/trace/v1".ResourceSpans
vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform/span.go:83:30: rs.ScopeSpans undefined (type *"go.opentelemetry.io/proto/otlp/trace/v1".ResourceSpans has no field or method ScopeSpans)
# k8s.io/client-go/applyconfigurations/meta/v1
vendor/k8s.io/client-go/applyconfigurations/meta/v1/unstructured.go:64:38: cannot use doc (variable of type *"github.com/google/gnostic/openapiv2".Document) as *"github.com/google/gnostic-models/openapiv2".Document value in argument to proto.NewOpenAPIData
# github.com/rancher/steve/pkg/schema/converter
vendor/github.com/rancher/steve/pkg/schema/converter/openapi.go:66:38: cannot use openapi (variable of type *"github.com/google/gnostic/openapiv2".Document) as *"github.com/google/gnostic-models/openapiv2".Document value in argument to proto.NewOpenAPIData
FATA[0086] exit status 1
This pull request is now in conflict. Could you fix it @renovate[bot]? 🙏
![mergify[bot] avatar](https://avatars.githubusercontent.com/in/10562?v=4 "Published by a pub.dev verified publisher"){kind=small}