net: Lookup functions may return invalid host names

[rolandshoemaker]

The net.Lookup{Addr,CNAME,Host} functions don't do any filtering of returned host name string types when using the pure Go resolver, allowing for invalid names to be returned to the caller. If the caller expects these names to be valid they may use them in an unsanitized context, allowing for injection of unexpected content. Depending on the implementation, the cgo resolver may do some level of filtering, for instance the glibc implementation of getaddrinfo does impose its own filtering.

The simple approach to this is to check returned names with the existing isDomainName function, which applies RFC 1035 LDH rules (as well as allowing underscores for SRV style names), and failing out if the returned names are not considered proper. This should mostly match glibc behavior. In order to avoid diverging behavior across implementations, the check should probably be done at the Resolver level, rather than just in the pure Go Lookup... implementations.

This is CVE-2021-33195.

[gopherbot]

Change https://golang.org/cl/320949 mentions this issue: net: verify results from Lookup* are valid domain names

[dmitshur]

Roland, should this issue (and #46242) block Go 1.17 Beta 1 (target date of June 1), or is okay not to block beta 1 as long as it's fixed for final 1.17 release?

[katiehockman]

@dmitshur this will be backported to 1.16 and 1.15 for the upcoming minor releases (targeted to June 1 as well), so if all goes according to plan, it should be merged before the 1.17 beta anyway.

[dmitshur]

@katiehockman If I understand correctly, your comment is suggesting that it would be safe to apply both release-blocker and okay-after-beta1 labels to this issue, so that automated tooling only reports a problem if this issue is unexpectedly still not resolved by the time the final Go 1.17 release is about to be made. Is my understanding right?

[katiehockman]

@dmitshur yes that sounds right. @rolandshoemaker can correct me if I'm wrong there.

[dmitshur]

Thanks. I applied those labels here and in #46242. Please make changes if needed (e.g., you can remove okay-after-beta1 if we shouldn't release Go 1.17 Beta 1 without this fix).

Having these labels helps ensure release tooling will not stay quietl if something doesn't go as originally anticipated, so @rolandshoemaker please feel free to apply them as needed when filing issues in the future.

[rolandshoemaker]

@gopherbot please consider this for backport to 1.15 and 1.16 as this is a security issue.