Backport of [NET-4897] net/http host header is now verified and reque…

…st.host that contains socked now error into release/1.14.x (#18143) ## Backport This PR is auto-generated from #18129 to be assessed for backporting due to the inclusion of the label backport/1.14. :rotating_light: >**Warning** automatic cherry-pick of commits failed. If the first commit failed, you will see a blank no-op commit below. If at least one commit succeeded, you will see the cherry-picked commits up to, _not including_, the commit where the merge conflict occurred. The person who merged in the original PR is: @jmurret This person should manually cherry-pick the original PR into a new backport PR, and close this one when the manual backport PR is merged in. > merge conflict error: POST https://api.github.com/repos/hashicorp/consul/merges: 409 Merge conflict [] The below text is copied from the body of the original PR. --- ### Description This is related to #18124 where we pinned the go versions in CI to 1.20.5 and 1.19.10. go 1.20.6 and 1.19.11 now validate request host headers for validity, including the hostname cannot be prefixed with slashes. For local communications (npipe://, unix://), the hostname is not used, but we need valid and meaningful hostname. Prior versions go Go would clean the host header, and strip slashes in the process, but go1.20.6 and go1.19.11 no longer do, and reject the host header. Around the community we are seeing that others are intercepting the req.host and if it starts with a slash or ends with .sock, they changing the host to localhost or another dummy value. [client: define a "dummy" hostname to use for local connections by thaJeztah · Pull Request #45942 · moby/moby](moby/moby#45942) ### Testing & Reproduction steps Check CI tests. ### Links * [ ] updated test coverage * [ ] external facing docs updated * [ ] appropriate backport labels added * [ ] not a security concern --- <details> <summary> Overview of commits </summary> - 747195f - 5164924 - f4d6ca1 - a474071 - 8c03b36 - c50b17c - cc8eaf8 - ce10138 - 133c7ec - b0bd440 - 8f22308 - f8578b0 - 4452224 - 19634a4 </details> --------- Co-authored-by: temp <temp@hashicorp.com> Co-authored-by: John Murret <john.murret@hashicorp.com>
hashicorp · Jul 17, 2023 · 9128a08 · 9128a08
1 parent 14c3bc8
commit 9128a08
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 7 deletions.
diff --git a/.github/workflows/go-tests.yml b/.github/workflows/go-tests.yml
@@ -290,7 +290,7 @@ jobs:
       runs-on: ${{ needs.setup.outputs.compute-xl }}
       repository-name: ${{ github.repository }}
       go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consulprem consuldev' || '' }}"
-      go-version: "1.19.10"
+      go-version: "1.19"
     permissions:
       id-token: write # NOTE: this permission is explicitly required for Vault auth.
       contents: read    
@@ -309,12 +309,7 @@ jobs:
       runs-on: ${{ needs.setup.outputs.compute-xl }}
       repository-name: ${{ github.repository }}
       go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consulprem consuldev' || '' }}"
-      # pinning this to 1.20.5 because this issue in go-testcontainers occurs
-      # in 1.20.6 with the error "http: invalid Host header, host port waiting failed"
-      # https://github.com/testcontainers/testcontainers-go/issues/1359
-      # remove setting this when the above issue is fixed so that the reusable
-      # job will just get the go version from go.mod.
-      go-version: "1.20.5"
+      go-version: "1.20"
     permissions:
       id-token: write # NOTE: this permission is explicitly required for Vault auth.
       contents: read    
@@ -352,6 +347,7 @@ jobs:
       runs-on: ${{ needs.setup.outputs.compute-xl }}
       repository-name: ${{ github.repository }}
       go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consulprem consuldev' || '' }}"
+      go-version: "1.20"
     permissions:
       id-token: write # NOTE: this permission is explicitly required for Vault auth.
       contents: read    

diff --git a/api/api.go b/api/api.go
@@ -962,6 +962,17 @@ func (r *request) toHTTP() (*http.Request, error) {
 		return nil, err
 	}
 
+	// validate that socket communications that do not use the host, detect
+	// slashes in the host name and replace it with local host.
+	// this is required since go started validating req.host in 1.20.6 and 1.19.11.
+	// prior to that they would strip out the slashes for you.  They removed that
+	// behavior and added more strict validation as part of a CVE.
+	// https://github.com/golang/go/issues/60374
+	// the hope is that
+	if strings.HasPrefix(r.url.Host, "/") {
+		r.url.Host = "localhost"
+	}
+
 	req.URL.Host = r.url.Host
 	req.URL.Scheme = r.url.Scheme
 	req.Host = r.url.Host