Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[24.0 backport] client: define a "dummy" hostname to use for local connections #45962

Merged
merged 4 commits into from Jul 14, 2023
Merged

[24.0 backport] client: define a "dummy" hostname to use for local connections #45962

merged 4 commits into from Jul 14, 2023

Conversation

thaJeztah
Copy link
Member

ℹ️ Minor conflict in a code comment, which was added in a6048fc, and is not part of this branch.

For local communications (npipe://, unix://), the hostname is not used, but we need valid and meaningful hostname.

The current code used the client's addr as hostname in some cases, which could contain the path for the unix-socket (/var/run/docker.sock), which gets rejected by go1.20.6 and go1.19.11 because of a security fix for CVE-2023-29406 , which was implemented in https://go.dev/issue/60374.

Prior versions go Go would clean the host header, and strip slashes in the process, but go1.20.6 and go1.19.11 no longer do, and reject the host header.

This patch introduces a DummyHost const, and uses this dummy host for cases where we don't need an actual hostname.

Before this patch (using go1.20.6):

make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration
=== RUN   TestAttachWithTTY
    attach_test.go:46: assertion failed: error is not nil: http: invalid Host header
--- FAIL: TestAttachWithTTY (0.11s)
=== RUN   TestAttachWithoutTTy
    attach_test.go:46: assertion failed: error is not nil: http: invalid Host header
--- FAIL: TestAttachWithoutTTy (0.02s)
FAIL

With this patch applied:

make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration
INFO: Testing against a local daemon
=== RUN   TestAttachWithTTY
--- PASS: TestAttachWithTTY (0.12s)
=== RUN   TestAttachWithoutTTy
--- PASS: TestAttachWithoutTTy (0.02s)
PASS

- What I did

- How I did it

- How to verify it

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

@thaJeztah thaJeztah added this to the 24.0.5 milestone Jul 13, 2023
@thaJeztah thaJeztah changed the base branch from master to 24.0 July 13, 2023 14:50
@thaJeztah thaJeztah marked this pull request as draft July 13, 2023 14:50
@thaJeztah
client: TestSetHostHeader: don't use un-keyed literals
fee4db8 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2a59188)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah
client: define a "dummy" hostname to use for local connections
597a5f9 
For local communications (npipe://, unix://), the hostname is not used,
but we need valid and meaningful hostname.

The current code used the client's `addr` as hostname in some cases, which
could contain the path for the unix-socket (`/var/run/docker.sock`), which
gets rejected by go1.20.6 and go1.19.11 because of a security fix for
[CVE-2023-29406 ][1], which was implemented in  https://go.dev/issue/60374.

Prior versions go Go would clean the host header, and strip slashes in the
process, but go1.20.6 and go1.19.11 no longer do, and reject the host
header.

This patch introduces a `DummyHost` const, and uses this dummy host for
cases where we don't need an actual hostname.

Before this patch (using go1.20.6):

    make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration
    === RUN   TestAttachWithTTY
        attach_test.go:46: assertion failed: error is not nil: http: invalid Host header
    --- FAIL: TestAttachWithTTY (0.11s)
    === RUN   TestAttachWithoutTTy
        attach_test.go:46: assertion failed: error is not nil: http: invalid Host header
    --- FAIL: TestAttachWithoutTTy (0.02s)
    FAIL

With this patch applied:

    make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration
    INFO: Testing against a local daemon
    === RUN   TestAttachWithTTY
    --- PASS: TestAttachWithTTY (0.12s)
    === RUN   TestAttachWithoutTTy
    --- PASS: TestAttachWithoutTTy (0.02s)
    PASS

[1]: GHSA-f8f7-69v5-w4vx

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 92975f0)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah
pkg/plugins: use a dummy hostname for local connections
547ea18 
For local communications (npipe://, unix://), the hostname is not used,
but we need valid and meaningful hostname.

The current code used the socket path as hostname, which gets rejected by
go1.20.6 and go1.19.11 because of a security fix for [CVE-2023-29406 ][1],
which was implemented in  https://go.dev/issue/60374.

Prior versions go Go would clean the host header, and strip slashes in the
process, but go1.20.6 and go1.19.11 no longer do, and reject the host
header.

Before this patch, tests would fail on go1.20.6:

    === FAIL: pkg/authorization TestAuthZRequestPlugin (15.01s)
    time="2023-07-12T12:53:45Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 1s"
    time="2023-07-12T12:53:46Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 2s"
    time="2023-07-12T12:53:48Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 4s"
    time="2023-07-12T12:53:52Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 8s"
        authz_unix_test.go:82: Failed to authorize request Post "http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq": http: invalid Host header

[1]: GHSA-f8f7-69v5-w4vx

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 6b7705d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah
testutil: use dummyhost for non-tcp connections
bdaadec 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e1db9e9)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah force-pushed the 24.0_backport_fix_host_header branch from af1c096 to bdaadec Compare July 14, 2023 18:37
@thaJeztah thaJeztah marked this pull request as ready for review July 14, 2023 19:30
@thaJeztah thaJeztah mentioned this pull request Jul 14, 2023
Merged
@thaJeztah
Copy link
Member Author

@neersighted @corhere PTAL

@thaJeztah
Copy link
Member Author

I'll bring this one in 👍

@thaJeztah thaJeztah merged commit d09fe00 into moby:24.0 Jul 14, 2023
101 checks passed
@thaJeztah thaJeztah deleted the 24.0_backport_fix_host_header branch July 14, 2023 20:43
@thaJeztah thaJeztah mentioned this pull request Jul 15, 2023
Merged
matthewpi added a commit to pterodactyl/wings that referenced this pull request Jul 15, 2023
@matthewpi
go: update dependencies
aa8ffdf 
This updates the docker client to include the fix added with
moby/moby#45962 which solves a breaking change
to Go due to CVE-2023-29406.
@thaJeztah thaJeztah mentioned this pull request Jul 16, 2023
Merged
10 tasks
@xiaolongyuan xiaolongyuan mentioned this pull request Jul 28, 2023
Closed
@easyfab easyfab mentioned this pull request Aug 15, 2023
Closed
@thaJeztah thaJeztah mentioned this pull request Oct 11, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@neersighted neersighted neersighted approved these changes

@cpuguy83 cpuguy83 Awaiting requested review from cpuguy83

@tianon tianon Awaiting requested review from tianon

@tonistiigi tonistiigi Awaiting requested review from tonistiigi

Assignees
No one assigned
Labels
impact/changelog kind/bugfix PR's that fix bugs status/2-code-review
Projects
None yet
Milestone
24.0.5
Development

Successfully merging this pull request may close these issues.

Golang client fails to attach to streams with "http: invalid Host header" with go1.20.6, go1.19.11
2 participants
@thaJeztah @neersighted