From d8257d5ec8f717b521e80678d7f67e1bd08ee72f Mon Sep 17 00:00:00 2001
From: Nick Tindall <nick.tindall@elastic.co>
Date: Fri, 5 Sep 2025 23:13:50 +1000
Subject: [PATCH] Upgrade Netty to 4.1.126.Final (#134182)

(cherry picked from commit 500c4ff6252ed58c3162f1b92c6a21e01b43df41)
---
 build-tools-internal/version.properties       |   2 +-
 docs/changelog/134182.yaml                    |   5 +
 gradle/verification-metadata.xml              |  84 +++++------
 ...ecurityNetty4HttpServerTransportTests.java | 131 ++++++++----------
 4 files changed, 105 insertions(+), 117 deletions(-)
 create mode 100644 docs/changelog/134182.yaml

diff --git a/build-tools-internal/version.properties b/build-tools-internal/version.properties
index bd254ce4a773f..b1f3e03bcad4d 100644
--- a/build-tools-internal/version.properties
+++ b/build-tools-internal/version.properties
@@ -14,7 +14,7 @@ log4j             = 2.19.0
 slf4j             = 2.0.6
 ecsLogging        = 1.2.0
 jna               = 5.12.1
-netty             = 4.1.118.Final
+netty             = 4.1.126.Final
 commons_lang3     = 3.9
 google_oauth_client = 1.34.1
 awsv1sdk            = 1.12.270
diff --git a/docs/changelog/134182.yaml b/docs/changelog/134182.yaml
new file mode 100644
index 0000000000000..4ec8a96a8ccc9
--- /dev/null
+++ b/docs/changelog/134182.yaml
@@ -0,0 +1,5 @@
+pr: 134182
+summary: Upgrade Netty to 4.1.126.Final
+area: Network
+type: upgrade
+issues: []
diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
index ce30fe7bf10dd..4e40d2c73469a 100644
--- a/gradle/verification-metadata.xml
+++ b/gradle/verification-metadata.xml
@@ -1452,74 +1452,74 @@
             <sha256 value="a3ebec96768ee4a2d3db44597e84cea2d0bdd68ca04822397980ea9f67075a86" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-buffer" version="4.1.118.Final">
-         <artifact name="netty-buffer-4.1.118.Final.jar">
-            <sha256 value="0eea4e8666a9636a28722661d8ba5fa8564477e75fec6dd2ff3e324e361f8b3c" origin="Generated by Gradle"/>
+      <component group="io.netty" name="netty-buffer" version="4.1.126.Final">
+         <artifact name="netty-buffer-4.1.126.Final.jar">
+            <sha256 value="d741726adcc76107553092d456d0da5837daad39919c8a40df15327d7fa3296d" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-codec" version="4.1.118.Final">
-         <artifact name="netty-codec-4.1.118.Final.jar">
-            <sha256 value="4abd215fd1ed7ce86509d169cc9cbede5042176c265a79b3b70602b017226c3f" origin="Generated by Gradle"/>
+      <component group="io.netty" name="netty-codec" version="4.1.126.Final">
+         <artifact name="netty-codec-4.1.126.Final.jar">
+            <sha256 value="8ebb8284cc76b26025d892ff8bc1a90cc4ae7492dae0e3794068cd8ebc452600" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-codec-dns" version="4.1.118.Final">
-         <artifact name="netty-codec-dns-4.1.118.Final.jar">
-            <sha256 value="e115e42ca1e3cc8d85e3a632d8faa102d18c0ebc1fa4511af30bec79f8c147d4" origin="Generated by Gradle"/>
+      <component group="io.netty" name="netty-codec-dns" version="4.1.126.Final">
+         <artifact name="netty-codec-dns-4.1.126.Final.jar">
+            <sha256 value="5aa5e450b29deb509c058ad20208aaef7c79503571c2490c532242db2e69261e" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-codec-http" version="4.1.118.Final">
-         <artifact name="netty-codec-http-4.1.118.Final.jar">
-            <sha256 value="09822d785e9a794838031ddd5346cf419b30c036a981c2e277a062bea884174b" origin="Generated by Gradle"/>
+      <component group="io.netty" name="netty-codec-http" version="4.1.126.Final">
+         <artifact name="netty-codec-http-4.1.126.Final.jar">
+            <sha256 value="0a32369bbd7278f1066048fc0830f2a6df1f0f72de6ae7f5386976c4d2f6788f" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-codec-http2" version="4.1.118.Final">
-         <artifact name="netty-codec-http2-4.1.118.Final.jar">
-            <sha256 value="68da0b1a34dceb00a6f9f6f788fb2f6b7b9e4adba8c70658ac2bd7eb898b97ae" origin="Generated by Gradle"/>
+      <component group="io.netty" name="netty-codec-http2" version="4.1.126.Final">
+         <artifact name="netty-codec-http2-4.1.126.Final.jar">
+            <sha256 value="bb5eb960f552d9b90a98c8bc40e40b89316294c1dd1e67b2728ad047f2da3bbe" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-codec-socks" version="4.1.118.Final">
-         <artifact name="netty-codec-socks-4.1.118.Final.jar">
-            <sha256 value="094465e3cfb3aef0fca38ed82b801f53a6c8be7ae1f83ab0c1b2e8ece2586840" origin="Generated by Gradle"/>
+      <component group="io.netty" name="netty-codec-socks" version="4.1.126.Final">
+         <artifact name="netty-codec-socks-4.1.126.Final.jar">
+            <sha256 value="1f1d56665f4793dbbadab34c604597a680f60425de0027434f9499c183da9df5" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-common" version="4.1.118.Final">
-         <artifact name="netty-common-4.1.118.Final.jar">
-            <sha256 value="65cce901ecf0f9d6591cc7750772614ab401a84415dc9aec9da4d046f0f9a77c" origin="Generated by Gradle"/>
+      <component group="io.netty" name="netty-common" version="4.1.126.Final">
+         <artifact name="netty-common-4.1.126.Final.jar">
+            <sha256 value="ac2b777562723a94962ea30a30d968fa5678455141ede64100b9d0530426db9c" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-handler" version="4.1.118.Final">
-         <artifact name="netty-handler-4.1.118.Final.jar">
-            <sha256 value="26e3f8a5e859fd62cf3c13dc6d75e4e18879f000a5d0ad7f58f8679675d23dae" origin="Generated by Gradle"/>
+      <component group="io.netty" name="netty-handler" version="4.1.126.Final">
+         <artifact name="netty-handler-4.1.126.Final.jar">
+            <sha256 value="1846e8e770288aab3a203a16f78e2515ddba0bf9df1c26665ceffc38c9fc875b" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-handler-proxy" version="4.1.118.Final">
-         <artifact name="netty-handler-proxy-4.1.118.Final.jar">
-            <sha256 value="fef926126f44c668968dd3e2389c2552981d452e6dfc23b1f9bd03db92c21f96" origin="Generated by Gradle"/>
+      <component group="io.netty" name="netty-handler-proxy" version="4.1.126.Final">
+         <artifact name="netty-handler-proxy-4.1.126.Final.jar">
+            <sha256 value="7b715cbad91daf9cde48105e1ab5cc45e06b3b19523f536c2d27a3b908f6d41b" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-resolver" version="4.1.118.Final">
-         <artifact name="netty-resolver-4.1.118.Final.jar">
-            <sha256 value="3170c225972c18b6850d28add60db15bb28d83c4e3d5b686ca220e0bd7273c8a" origin="Generated by Gradle"/>
+      <component group="io.netty" name="netty-resolver" version="4.1.126.Final">
+         <artifact name="netty-resolver-4.1.126.Final.jar">
+            <sha256 value="c66be4ca4e37c263af785253449024b7ef150093257490c208bdc1d774e2c6d7" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-resolver-dns" version="4.1.118.Final">
-         <artifact name="netty-resolver-dns-4.1.118.Final.jar">
-            <sha256 value="c0e0fdaffaba849e3145b2b96288fc8fc6f3b2a623cf72aaba708288348e4938" origin="Generated by Gradle"/>
+      <component group="io.netty" name="netty-resolver-dns" version="4.1.126.Final">
+         <artifact name="netty-resolver-dns-4.1.126.Final.jar">
+            <sha256 value="20646906e1f5506673c42f96e862706a94441dce1b8119163c9c5fefcac046b8" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-transport" version="4.1.118.Final">
-         <artifact name="netty-transport-4.1.118.Final.jar">
-            <sha256 value="ab3751e717daef9c8d91e4d74728a48730bd8530b72e2466b222b2ea3fb07db9" origin="Generated by Gradle"/>
+      <component group="io.netty" name="netty-transport" version="4.1.126.Final">
+         <artifact name="netty-transport-4.1.126.Final.jar">
+            <sha256 value="30065562b7708e88cdf7c3fd192be9083651be538676ba27c8631e255825f315" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-transport-classes-epoll" version="4.1.118.Final">
-         <artifact name="netty-transport-classes-epoll-4.1.118.Final.jar">
-            <sha256 value="bd86e6d41e1f6053f9577931655236259778ab045646e1e6ab04150f070864f3" origin="Generated by Gradle"/>
+      <component group="io.netty" name="netty-transport-classes-epoll" version="4.1.126.Final">
+         <artifact name="netty-transport-classes-epoll-4.1.126.Final.jar">
+            <sha256 value="d7e0684969dad68e224e4fbf3e8e0de6b5191b25d820f8d6ae05201c70b33654" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="io.netty" name="netty-transport-native-unix-common" version="4.1.118.Final">
-         <artifact name="netty-transport-native-unix-common-4.1.118.Final.jar">
-            <sha256 value="69b16793d7b41ea76a762bd2bd144fc4f7c39c156a7a59ebf69baeb560fb10b7" origin="Generated by Gradle"/>
+      <component group="io.netty" name="netty-transport-native-unix-common" version="4.1.126.Final">
+         <artifact name="netty-transport-native-unix-common-4.1.126.Final.jar">
+            <sha256 value="b6578df0ad9092f4e846d34976a5f887b067ebaa71307eb90653d3a1898c1f5f" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="io.opencensus" name="opencensus-api" version="0.30.0">
diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransportTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransportTests.java
index 0663172fa2e9c..5e06236dfaeca 100644
--- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransportTests.java
+++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/transport/netty4/SecurityNetty4HttpServerTransportTests.java
@@ -573,9 +573,8 @@ public void dispatchBadRequest(final RestChannel channel, final ThreadContext th
                 {
                     EmbeddedChannel ch = new EmbeddedChannel(handler);
                     ByteBuf buf = ch.alloc().buffer();
-                    ByteBufUtil.copy(AsciiString.of("This is not a valid HTTP line"), buf);
-                    buf.writeByte(HttpConstants.LF);
-                    buf.writeByte(HttpConstants.LF);
+                    appendAsciiLine("This is not a valid HTTP line", buf);
+                    appendCrLf(buf);
                     ch.writeInbound(buf);
                     ch.flushInbound();
                     assertThat(dispatchThrowableReference.get().toString(), containsString("NOT A VALID HTTP LINE"));
@@ -586,9 +585,8 @@ public void dispatchBadRequest(final RestChannel channel, final ThreadContext th
                 {
                     EmbeddedChannel ch = new EmbeddedChannel(handler);
                     ByteBuf buf = ch.alloc().buffer();
-                    ByteBufUtil.copy(AsciiString.of("GET /this/is/a/valid/but/too/long/initial/line HTTP/1.1"), buf);
-                    buf.writeByte(HttpConstants.LF);
-                    buf.writeByte(HttpConstants.LF);
+                    appendAsciiLine("GET /this/is/a/valid/but/too/long/initial/line HTTP/1.1", buf);
+                    appendCrLf(buf);
                     ch.writeInbound(buf);
                     ch.flushInbound();
                     assertThat(dispatchThrowableReference.get().toString(), containsString("HTTP line is larger than"));
@@ -599,11 +597,9 @@ public void dispatchBadRequest(final RestChannel channel, final ThreadContext th
                 {
                     EmbeddedChannel ch = new EmbeddedChannel(handler);
                     ByteBuf buf = ch.alloc().buffer();
-                    ByteBufUtil.copy(AsciiString.of("GET /url HTTP/1.1"), buf);
-                    buf.writeByte(HttpConstants.LF);
-                    ByteBufUtil.copy(AsciiString.of("Host"), buf);
-                    buf.writeByte(HttpConstants.LF);
-                    buf.writeByte(HttpConstants.LF);
+                    appendAsciiLine("GET /url HTTP/1.1", buf);
+                    appendAsciiLine("Host", buf);
+                    appendCrLf(buf);
                     ch.writeInbound(buf);
                     ch.flushInbound();
                     assertThat(dispatchThrowableReference.get().toString(), containsString("No colon found"));
@@ -614,11 +610,9 @@ public void dispatchBadRequest(final RestChannel channel, final ThreadContext th
                 {
                     EmbeddedChannel ch = new EmbeddedChannel(handler);
                     ByteBuf buf = ch.alloc().buffer();
-                    ByteBufUtil.copy(AsciiString.of("GET /url HTTP/1.1"), buf);
-                    buf.writeByte(HttpConstants.LF);
-                    ByteBufUtil.copy(AsciiString.of("Host: this.looks.like.a.good.url.but.is.longer.than.permitted"), buf);
-                    buf.writeByte(HttpConstants.LF);
-                    buf.writeByte(HttpConstants.LF);
+                    appendAsciiLine("GET /url HTTP/1.1", buf);
+                    appendAsciiLine("Host: this.looks.like.a.good.url.but.is.longer.than.permitted", buf);
+                    appendCrLf(buf);
                     ch.writeInbound(buf);
                     ch.flushInbound();
                     assertThat(dispatchThrowableReference.get().toString(), containsString("HTTP header is larger than"));
@@ -629,12 +623,11 @@ public void dispatchBadRequest(final RestChannel channel, final ThreadContext th
                 {
                     EmbeddedChannel ch = new EmbeddedChannel(handler);
                     ByteBuf buf = ch.alloc().buffer();
-                    ByteBufUtil.copy(AsciiString.of("GET /url HTTP/1.1"), buf);
-                    buf.writeByte(HttpConstants.LF);
+                    appendAsciiLine("GET /url HTTP/1.1", buf);
                     ByteBufUtil.copy(AsciiString.of("Host: invalid header value"), buf);
                     buf.writeByte(0x01);
-                    buf.writeByte(HttpConstants.LF);
-                    buf.writeByte(HttpConstants.LF);
+                    appendCrLf(buf);
+                    appendCrLf(buf);
                     ch.writeInbound(buf);
                     ch.flushInbound();
                     assertThat(dispatchThrowableReference.get().toString(), containsString("Validation failed for header 'Host'"));
@@ -645,10 +638,8 @@ public void dispatchBadRequest(final RestChannel channel, final ThreadContext th
                 {
                     EmbeddedChannel ch = new EmbeddedChannel(handler);
                     ByteBuf buf = ch.alloc().buffer();
-                    ByteBufUtil.copy(AsciiString.of("GET /url HTTP/1.1"), buf);
-                    buf.writeByte(HttpConstants.LF);
-                    ByteBufUtil.copy(AsciiString.of("Host: localhost"), buf);
-                    buf.writeByte(HttpConstants.LF);
+                    appendAsciiLine("GET /url HTTP/1.1", buf);
+                    appendAsciiLine("Host: localhost", buf);
                     ch.writeInbound(buf);
                     ch.flushInbound();
                     safeGet(ch.close());
@@ -702,33 +693,24 @@ public void dispatchBadRequest(final RestChannel channel, final ThreadContext th
                 // OPTIONS request with fixed length content written in one chunk
                 {
                     ByteBuf buf = ch.alloc().buffer();
-                    ByteBufUtil.copy(AsciiString.of("OPTIONS /url/whatever/fixed-length-single-chunk HTTP/1.1"), buf);
-                    buf.writeByte(HttpConstants.LF);
+                    appendAsciiLine("OPTIONS /url/whatever/fixed-length-single-chunk HTTP/1.1", buf);
                     if (randomBoolean()) {
-                        ByteBufUtil.copy(AsciiString.of("Host: localhost"), buf);
-                        buf.writeByte(HttpConstants.LF);
+                        appendAsciiLine("Host: localhost", buf);
                     }
                     if (randomBoolean()) {
-                        ByteBufUtil.copy(AsciiString.of("Accept: */*"), buf);
-                        buf.writeByte(HttpConstants.LF);
+                        appendAsciiLine("Accept: */*", buf);
                     }
                     if (randomBoolean()) {
-                        ByteBufUtil.copy(AsciiString.of("Content-Encoding: gzip"), buf);
-                        buf.writeByte(HttpConstants.LF);
+                        appendAsciiLine("Content-Encoding: gzip", buf);
                     }
                     if (randomBoolean()) {
-                        ByteBufUtil.copy(
-                            AsciiString.of("Content-Type: " + randomFrom("text/plain; charset=utf-8", "application/json; charset=utf-8")),
-                            buf
-                        );
-                        buf.writeByte(HttpConstants.LF);
+                        appendAsciiLine("Content-Type: " + randomFrom("text/plain; charset=utf-8", "application/json; charset=utf-8"), buf);
                     }
                     String content = randomAlphaOfLengthBetween(4, 1024);
                     // having a "Content-Length" request header is what makes it "fixed length"
-                    ByteBufUtil.copy(AsciiString.of("Content-Length: " + content.length()), buf);
-                    buf.writeByte(HttpConstants.LF);
+                    appendAsciiLine("Content-Length: " + content.length(), buf);
                     // end of headers
-                    buf.writeByte(HttpConstants.LF);
+                    appendCrLf(buf);
                     ByteBufUtil.copy(AsciiString.of(content), buf);
                     // write everything in one single chunk
                     ch.writeInbound(buf);
@@ -745,63 +727,44 @@ public void dispatchBadRequest(final RestChannel channel, final ThreadContext th
                 }
                 {
                     ByteBuf buf = ch.alloc().buffer();
-                    ByteBufUtil.copy(AsciiString.of("OPTIONS /url/whatever/chunked-transfer?encoding HTTP/1.1"), buf);
-                    buf.writeByte(HttpConstants.LF);
+                    appendAsciiLine("OPTIONS /url/whatever/chunked-transfer?encoding HTTP/1.1", buf);
                     if (randomBoolean()) {
-                        ByteBufUtil.copy(AsciiString.of("Host: localhost"), buf);
-                        buf.writeByte(HttpConstants.LF);
+                        appendAsciiLine("Host: localhost", buf);
                     }
                     if (randomBoolean()) {
-                        ByteBufUtil.copy(AsciiString.of("Accept: */*"), buf);
-                        buf.writeByte(HttpConstants.LF);
+                        appendAsciiLine("Accept: */*", buf);
                     }
                     if (randomBoolean()) {
-                        ByteBufUtil.copy(AsciiString.of("Content-Encoding: gzip"), buf);
-                        buf.writeByte(HttpConstants.LF);
+                        appendAsciiLine("Content-Encoding: gzip", buf);
                     }
                     if (randomBoolean()) {
-                        ByteBufUtil.copy(
-                            AsciiString.of("Content-Type: " + randomFrom("text/plain; charset=utf-8", "application/json; charset=utf-8")),
-                            buf
-                        );
-                        buf.writeByte(HttpConstants.LF);
+                        appendAsciiLine("Content-Type: " + randomFrom("text/plain; charset=utf-8", "application/json; charset=utf-8"), buf);
                     }
                     // do not write a "Content-Length" header to make the request "variable length"
                     if (randomBoolean()) {
-                        ByteBufUtil.copy(AsciiString.of("Transfer-Encoding: " + randomFrom("chunked", "gzip, chunked")), buf);
+                        appendAsciiLine("Transfer-Encoding: " + randomFrom("chunked", "gzip, chunked"), buf);
                     } else {
-                        ByteBufUtil.copy(AsciiString.of("Transfer-Encoding: chunked"), buf);
+                        appendAsciiLine("Transfer-Encoding: chunked", buf);
                     }
-                    buf.writeByte(HttpConstants.LF);
-                    buf.writeByte(HttpConstants.LF);
+                    // End of headers
+                    appendCrLf(buf);
                     // maybe append some chunks as well
                     String[] contentParts = randomArray(0, 4, String[]::new, () -> randomAlphaOfLengthBetween(1, 64));
                     for (String content : contentParts) {
-                        ByteBufUtil.copy(AsciiString.of(Integer.toHexString(content.length())), buf);
-                        buf.writeByte(HttpConstants.CR);
-                        buf.writeByte(HttpConstants.LF);
-                        ByteBufUtil.copy(AsciiString.of(content), buf);
-                        buf.writeByte(HttpConstants.CR);
-                        buf.writeByte(HttpConstants.LF);
+                        appendAsciiLine(Integer.toHexString(content.length()), buf);
+                        appendAsciiLine(content, buf);
                     }
                     ch.writeInbound(buf);
                     ch.flushInbound();
                     ByteBuf buf2 = ch.alloc().buffer();
                     contentParts = randomArray(1, 4, String[]::new, () -> randomAlphaOfLengthBetween(1, 64));
                     for (String content : contentParts) {
-                        ByteBufUtil.copy(AsciiString.of(Integer.toHexString(content.length())), buf2);
-                        buf2.writeByte(HttpConstants.CR);
-                        buf2.writeByte(HttpConstants.LF);
-                        ByteBufUtil.copy(AsciiString.of(content), buf2);
-                        buf2.writeByte(HttpConstants.CR);
-                        buf2.writeByte(HttpConstants.LF);
+                        appendAsciiLine(Integer.toHexString(content.length()), buf2);
+                        appendAsciiLine(content, buf2);
                     }
                     // finish chunked request
-                    ByteBufUtil.copy(AsciiString.of("0"), buf2);
-                    buf2.writeByte(HttpConstants.CR);
-                    buf2.writeByte(HttpConstants.LF);
-                    buf2.writeByte(HttpConstants.CR);
-                    buf2.writeByte(HttpConstants.LF);
+                    appendAsciiLine("0", buf2);
+                    appendCrLf(buf2);
                     ch.writeInbound(buf2);
                     ch.flushInbound();
                     ch.runPendingTasks();
@@ -820,4 +783,24 @@ public void dispatchBadRequest(final RestChannel channel, final ThreadContext th
         }
     }
 
+    /**
+     * Append a string as ASCII terminated by a CR/LF newline
+     *
+     * @param string The string to append
+     * @param buf The buffer to append to
+     */
+    private static void appendAsciiLine(String string, ByteBuf buf) {
+        ByteBufUtil.copy(AsciiString.of(string), buf);
+        appendCrLf(buf);
+    }
+
+    /**
+     * Append a CR/LF newline
+     *
+     * @param buf The buffer to append to
+     */
+    private static void appendCrLf(ByteBuf buf) {
+        buf.writeByte(HttpConstants.CR);
+        buf.writeByte(HttpConstants.LF);
+    }
 }