Backport security audit fixes (V01-V07), snappy gRPC fix, and stream push panic fix to release-1.21#7574
Merged
Merged
Conversation
Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com>
* drop digest verification fail packets Signed-off-by: SungJin1212 <tjdwls1201@gmail.com> * fix lint Signed-off-by: SungJin1212 <tjdwls1201@gmail.com> --------- Signed-off-by: SungJin1212 <tjdwls1201@gmail.com> Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com>
* add checking logic if not distirbutor side request Signed-off-by: SungJin1212 <tjdwls1201@gmail.com> * Add SignWriteRequestsKeys Signed-off-by: SungJin1212 <tjdwls1201@gmail.com> * change addr Signed-off-by: SungJin1212 <tjdwls1201@gmail.com> * fix flakiness Signed-off-by: SungJin1212 <tjdwls1201@gmail.com> * fix test message Signed-off-by: SungJin1212 <tjdwls1201@gmail.com> * Add SecretStringSliceCSV type Signed-off-by: SungJin1212 <tjdwls1201@gmail.com> --------- Signed-off-by: SungJin1212 <tjdwls1201@gmail.com> Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com>
#7512) * security: fix stored XSS in alertmanager and storegateway status pages Replace text/template with html/template in alertmanager_http.go and gateway_http.go to auto-escape HTML special characters. This prevents stored XSS via crafted gossip member names rendered on status pages. The html/template package has an identical API to text/template but automatically escapes HTML, JS, and URI contexts. Add TestStatusHandler_HTMLEscaping to verify XSS payloads are escaped. Fixes #22 Signed-off-by: Daniel Blando <ddeluigg@amazon.com> * Fix lint Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com> * changelog Signed-off-by: Daniel Blando <ddeluigg@amazon.com> --------- Signed-off-by: Daniel Blando <ddeluigg@amazon.com> Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com> Co-authored-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com> Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com>
… ingestion path (#7515) Wrap gzip.Reader with io.LimitReader(maxSize+1) before reading decompressed bytes in both pkg/util/http.go and pkg/util/push/otlp.go. Signed-off-by: Daniel Blando <ddeluigg@amazon.com> Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com>
* add flags for TCP connection limits and timeouts Signed-off-by: SungJin1212 <tjdwls1201@gmail.com> * ensure semaphore slot is held for the lifetime of stream connections Signed-off-by: SungJin1212 <tjdwls1201@gmail.com> * modernize Signed-off-by: SungJin1212 <tjdwls1201@gmail.com> * change oversize packet log level to debug Signed-off-by: SungJin1212 <tjdwls1201@gmail.com> * add metrics Signed-off-by: SungJin1212 <tjdwls1201@gmail.com> * add stream to activeConnections to make accurate tracking Signed-off-by: SungJin1212 <tjdwls1201@gmail.com> * add histogram for tracking inbound packet sizes in bytes Signed-off-by: SungJin1212 <tjdwls1201@gmail.com> --------- Signed-off-by: SungJin1212 <tjdwls1201@gmail.com> Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com>
Signed-off-by: Paurush Garg <paurushg@amazon.com> Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com>
Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com>
* Triggers issue in #7456 Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com> * Including integration tests Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com> * Fix snappy register in grpcclient.go Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com> * Improve integration test Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com> * Update changelog and spawn grpc integration test for this Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com> --------- Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com>
Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com>
Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com>
Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com>
friedrichg
force-pushed
the
backport-security-audit-v01-v07
branch
from
27bfcec to
f70e08f
Compare
Member
|
@friedrichg |
sandy2008
reviewed
May 30, 2026
Contributor
sandy2008
left a comment
sandy2008
left a comment
There was a problem hiding this comment.
Took a careful pass over the backport — diffed each cherry-pick against its upstream PR and built + vetted the branch under -tags 'netgo slicelabels'. Overall this is a clean, faithful backport: every production hunk for V01–V07 + the snappy fix is byte-identical to upstream, the []Histogram → []WrappedHistogram swap and the regenerated cortex.pb.go build green, and the dropped tests are the right ones (they depend on StartTimestamp/CreatedTimestamp from #7371, which isn't on 1.21).
A few small things inline — mostly test-quality (a couple of the security tests currently pass without actually exercising what they guard), one CHANGELOG/rc nit, and one empty-signing-key edge case carried over from #7475 (flagging for a follow-up, not a blocker). Thanks for putting this together!
Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com>
Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com>
This was referenced May 31, 2026
… marshalling (#7541) * fix panic in stream push when context deadline expires during request marshalling Signed-off-by: SungJin1212 <tjdwls1201@gmail.com> * fix error handling Signed-off-by: SungJin1212 <tjdwls1201@gmail.com> * extract job processing Signed-off-by: SungJin1212 <tjdwls1201@gmail.com> --------- Signed-off-by: SungJin1212 <tjdwls1201@gmail.com> Signed-off-by: Friedrich Gonzalez <1517449+friedrichg@users.noreply.github.com>
friedrichg
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Prepares v1.21.1-rc.0 by backporting all seven Quarkslab security-audit fixes (V01-V07), PR #7459 (snappy gRPC panic), and PR #7541 (stream push panic) onto the
release-1.21branch.Backport status
Plus a final commit bumping
VERSIONto1.21.1-rc.0perRELEASE.md.V05 (#7570) conflict resolution notes
[ENHANCEMENT]line as[BUGFIX]to match the patch-release tone. All nine new entries appear under## 1.21.1 in progress.TestIngest_StartTimestamp,TestIngest_CreatedTimestampFallback,TestIngest_StartAndCreatedTimestampIgnoredWhenDisabled); they belong to Support Start TimeStamp (ST) & Created Timestamp (CT) on PRW2 #7371 which isn't on release-1.21.fileDescriptorblob; it matches the cherry-picked.proto.Histograms []Histogram->[]WrappedHistogramswap and theMetadataV2reuse-clearing assertions; dropped theCreatedTimestampsetup +assert.ZerobecauseReuseTimeseriesV2on release-1.21 doesn't clearCreatedTimestamp, so the upstream assertion would fail. TheMetadataV2field exists on release-1.21 and is reset byReuseTimeseriesV2, so its coverage is preserved.TestIngester_Push_StartTimestampandTestIngester_Push_StartTimestampAppendFailureMetrics; both depend onStartTimestamp.Test_convertV2RequestToV1_PreservesStartTimestamp; same reason.Test plan
go build ./...go test -timeout 2400s -tags "netgo slicelabels" ./...