chore(deps): Update module go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.39.0 [security] #1452
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
…n/net/http/otelhttp to v0.39.0 [security] Signed-off-by: Renovate Bot <bot@renovateapp.com>
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #1452 +/- ##
==========================================
+ Coverage 54.11% 54.34% +0.22%
==========================================
Files 116 116
Lines 13084 13084
==========================================
+ Hits 7081 7111 +30
+ Misses 5407 5376 -31
- Partials 596 597 +1
|
charithe
approved these changes
Feb 9, 2023
charithe
changed the title
charithe
deleted the
renovate/go-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp-vulnerability
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v0.38.0->v0.39.0GitHub Vulnerability Alerts
CVE-2023-25151
Impact
The v0.38.0 release of
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttpuses thehttpconv.ServerRequestfunction to annotate metric measurements for thehttp.server.request_content_length,http.server.response_content_length, andhttp.server.durationinstruments.The
ServerRequestfunction sets thehttp.targetattribute value to be the whole request URI (including the query string)1. The metric instruments do not "forget" previous measurement attributes whencumulativetemporality is used, this means the cardinality of the measurements allocated is directly correlated with the unique URIs handled. If the query string is constantly random, this will result in a constant increase in memory allocation that can be used in a denial-of-service attack.Pseudo-attack:
Patches
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp- v0.39.0go.opentelemetry.io/contrib/instrumentation/github.com/astaxie/beego/otelbeego- v0.39.0Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.
Footnotes
https://togithub.com/open-telemetry/opentelemetry-go/blob/6cb5718eaaed5c408c3bf4ad1aecee5c20ccdaa9/semconv/internal/v2/http.go#L202-L208 ↩