Skip to content

fix: [CI-21185]: Upgrade Go to 1.25.7 and run as non-root user#51

Merged
spahuja-harness merged 1 commit intomainfrom
release/ci-21185-security-fixes
Mar 4, 2026
Merged

fix: [CI-21185]: Upgrade Go to 1.25.7 and run as non-root user#51
spahuja-harness merged 1 commit intomainfrom
release/ci-21185-security-fixes

Conversation

@spahuja-harness
Copy link
Copy Markdown
Contributor

@spahuja-harness spahuja-harness commented Mar 4, 2026
edited by atlassian Bot
Loading

Summary

Fixes critical security vulnerabilities by upgrading Go version and implementing non-root user execution.

Security Fixes

1. Go Version Upgrade: 1.25 → 1.25.7

Addresses three CVEs:

CVE Severity CVSS Package Description
CVE-2025-68121 Critical 10.0 crypto/tls Session resumption vulnerability
CVE-2025-61726 High 7.5 net/url Unlimited query parameters
CVE-2025-61730 Medium 5.3 crypto/tls TLS 1.3 handshake boundary issue

2. Non-Root User Implementation

  • Container now runs as nobody:nobody (uid:gid 65534:65534)
  • Prevents privilege escalation attacks
  • Copied /etc/passwd for proper user resolution
  • Improves overall container security posture

Changes

Dockerfile Updates:

  • Base image: golang:1.25-alpine3.21golang:1.25.7
  • Package manager: apkapt-get (Go 1.25.7 uses Debian base)
  • Added USER 65534:65534 directive
  • Added COPY --from=builder /etc/passwd /etc/passwd

Testing

Build validation:

  • Docker image builds successfully
  • Binary size: ~10MB (plugin binary)

Version check:

docker run plugin-test:latest /binaries/plugin --version
# Output: test-1.0.0 (build version embedded via ldflags)

User validation:

docker inspect plugin-test:latest --format='User: {{.Config.User}}'
# Output: User: 65534:65534

Permission validation:

  • Non-root user cannot write to restricted directories
  • Permission denied for /nonexistent (expected behavior)

Related

  • Story: CI-21185
  • Branch format: release/* for Harness CI PATCH releases

@spahuja-harness
fix: [CI-21185]: Upgrade Go to 1.25.7 and run as non-root user
237138a 
Security fixes:
1. Upgrade Go from 1.25 to 1.25.7 to fix critical CVEs:
   - CVE-2025-68121 (critical, CVSS 10.0) - crypto/tls session resumption issue
   - CVE-2025-61726 (high, CVSS 7.5) - net/url query parameter limit
   - CVE-2025-61730 (medium, CVSS 5.3) - crypto/tls handshake boundary issue

2. Run container as non-root user (uid:gid 65534:65534):
   - Added USER directive to run as nobody:nobody
   - Copied /etc/passwd for user resolution
   - Prevents privilege escalation and improves container security

Changes:
- Updated base image: golang:1.25-alpine3.21 → golang:1.25.7
- Changed from apk (alpine) to apt-get (debian) for Go 1.25.7 image
- Added non-root user configuration in final scratch image

Tested:
- Binary builds successfully
- --version flag works: returns build version
- Non-root user (65534:65534) enforced
- Permission restrictions validated
@spahuja-harness spahuja-harness merged commit b4cf804 into main Mar 4, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@spahuja-harness