0002-pkg-plugins-use-a-dummy-hostname-for-local-connectio.patch 3.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869
  1. From 09306e7eb3c26ade69ef1e4c99d5b1fd9c0b7364 Mon Sep 17 00:00:00 2001
  2. From: Sebastiaan van Stijn <github@gone.nl>
  3. Date: Wed, 12 Jul 2023 15:07:59 +0200
  4. Subject: [PATCH] pkg/plugins: use a dummy hostname for local connections
  5. For local communications (npipe://, unix://), the hostname is not used,
  6. but we need valid and meaningful hostname.
  7. The current code used the socket path as hostname, which gets rejected by
  8. go1.20.6 and go1.19.11 because of a security fix for [CVE-2023-29406 ][1],
  9. which was implemented in https://go.dev/issue/60374.
  10. Prior versions go Go would clean the host header, and strip slashes in the
  11. process, but go1.20.6 and go1.19.11 no longer do, and reject the host
  12. header.
  13. Before this patch, tests would fail on go1.20.6:
  14. === FAIL: pkg/authorization TestAuthZRequestPlugin (15.01s)
  15. time="2023-07-12T12:53:45Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 1s"
  16. time="2023-07-12T12:53:46Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 2s"
  17. time="2023-07-12T12:53:48Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 4s"
  18. time="2023-07-12T12:53:52Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 8s"
  19. authz_unix_test.go:82: Failed to authorize request Post "http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq": http: invalid Host header
  20. [1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx
  21. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
  22. (cherry picked from commit 6b7705d5b29e226a24902a8dcc488836faaee33c)
  23. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
  24. ---
  25. pkg/plugins/client.go | 14 ++++++++++++--
  26. 1 file changed, 12 insertions(+), 2 deletions(-)
  27. diff --git a/pkg/plugins/client.go b/pkg/plugins/client.go
  28. index 752fecd0ae..e683eb777d 100644
  29. --- a/pkg/plugins/client.go
  30. +++ b/pkg/plugins/client.go
  31. @@ -18,6 +18,12 @@ import (
  32. const (
  33. defaultTimeOut = 30
  34. +
  35. + // dummyHost is a hostname used for local communication.
  36. + //
  37. + // For local communications (npipe://, unix://), the hostname is not used,
  38. + // but we need valid and meaningful hostname.
  39. + dummyHost = "plugin.moby.localhost"
  40. )
  41. func newTransport(addr string, tlsConfig *tlsconfig.Options) (transport.Transport, error) {
  42. @@ -44,8 +50,12 @@ func newTransport(addr string, tlsConfig *tlsconfig.Options) (transport.Transpor
  43. return nil, err
  44. }
  45. scheme := httpScheme(u)
  46. -
  47. - return transport.NewHTTPTransport(tr, scheme, socket), nil
  48. + hostName := u.Host
  49. + if hostName == "" || u.Scheme == "unix" || u.Scheme == "npipe" {
  50. + // Override host header for non-tcp connections.
  51. + hostName = dummyHost
  52. + }
  53. + return transport.NewHTTPTransport(tr, scheme, hostName), nil
  54. }
  55. // NewClient creates a new plugin client (http).
  56. --
  57. 2.41.0