Skip to content

Commit

Permalink
upgrade to latest dependencies (#576)
Browse files Browse the repository at this point in the history
bumping knative.dev/pkg d6ab729...29775d7:
  > 29775d7 [release-1.12] [CVE-2023-44487] Disable http2 for webhooks (# 2876)

Signed-off-by: Knative Automation <automation@knative.team>
  • Loading branch information
knative-automation authored Oct 23, 2023
1 parent a198125 commit 73cd5e8
Show file tree
Hide file tree
Showing 4 changed files with 22 additions and 4 deletions.
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ require (
k8s.io/utils v0.0.0-20230406110748-d93618cff8a2
knative.dev/hack v0.0.0-20231016131700-2c938d4918da
knative.dev/networking v0.0.0-20231017124814-2a7676e912b7
knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5
knative.dev/pkg v0.0.0-20231023151236-29775d7c9e5c
sigs.k8s.io/gateway-api v0.8.1
sigs.k8s.io/yaml v1.3.0
)
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -682,8 +682,8 @@ knative.dev/hack v0.0.0-20231016131700-2c938d4918da h1:xy+fvuz2LDOMsZ5UwXRaMF70N
knative.dev/hack v0.0.0-20231016131700-2c938d4918da/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
knative.dev/networking v0.0.0-20231017124814-2a7676e912b7 h1:6+1icZuxiZO1paFZ4d/ysKWVG2M4WB7OxNJNyLG0P/E=
knative.dev/networking v0.0.0-20231017124814-2a7676e912b7/go.mod h1:1gcHoIVG47ekQWjkddqRq+/7tWRh+CB9W4k/NAcdRbk=
knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5 h1:9AvFZdEtuwKWDcTV1VSwmrgrRR9f38wbIAm+sNwLivQ=
knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5/go.mod h1:HHRXEd7ZlFpthgE+rwAZ6MUVnuJOAeolnaFSthXloUQ=
knative.dev/pkg v0.0.0-20231023151236-29775d7c9e5c h1:xyPoEToTWeBdn6tinhLxXfnhJhTNQt5WzHiTNiFphRw=
knative.dev/pkg v0.0.0-20231023151236-29775d7c9e5c/go.mod h1:HHRXEd7ZlFpthgE+rwAZ6MUVnuJOAeolnaFSthXloUQ=
rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
Expand Down
18 changes: 18 additions & 0 deletions vendor/knative.dev/pkg/webhook/webhook.go
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,17 @@ type Options struct {
// ControllerOptions encapsulates options for creating a new controller,
// including throttling and stats behavior.
ControllerOptions *controller.ControllerOptions

// EnableHTTP2 enables HTTP2 for webhooks.
// Mitigate CVE-2023-44487 by disabling HTTP2 by default until the Go
// standard library and golang.org/x/net are fully fixed.
// Right now, it is possible for authenticated and unauthenticated users to
// hold open HTTP2 connections and consume huge amounts of memory.
// See:
// * https://github.com/kubernetes/kubernetes/pull/121120
// * https://github.com/kubernetes/kubernetes/issues/121197
// * https://github.com/golang/go/issues/63417#issuecomment-1758858612
EnableHTTP2 bool
}

// Operation is the verb being operated on
Expand Down Expand Up @@ -245,12 +256,19 @@ func (wh *Webhook) Run(stop <-chan struct{}) error {
QuietPeriod: wh.Options.GracePeriod,
}

// If TLSNextProto is not nil, HTTP/2 support is not enabled automatically.
nextProto := map[string]func(*http.Server, *tls.Conn, http.Handler){}
if wh.Options.EnableHTTP2 {
nextProto = nil
}

server := &http.Server{
ErrorLog: log.New(&zapWrapper{logger}, "", 0),
Handler: drainer,
Addr: fmt.Sprint(":", wh.Options.Port),
TLSConfig: wh.tlsConfig,
ReadHeaderTimeout: time.Minute, //https://medium.com/a-journey-with-go/go-understand-and-mitigate-slowloris-attack-711c1b1403f6
TLSNextProto: nextProto,
}

var serve = server.ListenAndServe
Expand Down
2 changes: 1 addition & 1 deletion vendor/modules.txt
Original file line number Diff line number Diff line change
Expand Up @@ -931,7 +931,7 @@ knative.dev/networking/test/test_images/runtime/handlers
knative.dev/networking/test/test_images/timeout
knative.dev/networking/test/test_images/wsserver
knative.dev/networking/test/types
# knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5
# knative.dev/pkg v0.0.0-20231023151236-29775d7c9e5c
## explicit; go 1.18
knative.dev/pkg/apis
knative.dev/pkg/apis/duck
Expand Down

0 comments on commit 73cd5e8

Please sign in to comment.