Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The vendored Azure autorest may present security issues #3987

Closed
nim-nim opened this Issue Mar 20, 2018 · 7 comments

Comments

Projects
None yet
4 participants
@nim-nim
Copy link

nim-nim commented Mar 20, 2018

A race condition was discovered in the Azure Active Directory client of github.com/Azure/go-autorest/ when refreshing auth tokens, requiring an API change to fix and the bump of the autorest major version from 9 to 10.

prometheus is still built against an ancient 7.2.2 pre-10 autorest version with the security issue (and probably many others fixed since).

It would be awfully nice if it could be switched to the latest autorest 10 release and the matching azure 14.x release (which is out of beta unlike the currently vendored version)

I've no idea if the race is exploitable but in such cases it's better not to try to be smarter than attackers and just apply security fixes.

@brian-brazil

This comment has been minimized.

Copy link
Member

brian-brazil commented Mar 20, 2018

Would you like to send a PR updating the vendoring?

@nim-nim

This comment has been minimized.

Copy link
Author

nim-nim commented Mar 20, 2018

Hi Brian,

I'd love to if I could, but my Go foo is not sufficient right now I fear.

@brian-brazil

This comment has been minimized.

Copy link
Member

brian-brazil commented Mar 20, 2018

It's only a govendor fetch, and then verifying that it works.

@nim-nim

This comment has been minimized.

Copy link
Author

nim-nim commented Mar 20, 2018

I'm pretty sure the current vendored azure is so ancient, it's not just changing the azure references to the latest releases, but it also needs some code adjustments. And since it has security implications, really not something I'd trust myself with right now (maybe later when I have more Go experience)

@bege13mot

This comment has been minimized.

Copy link
Contributor

bege13mot commented May 7, 2018

Hi everyone,

I'm new in Go and Prometheus community. Hope my pull request will be helpful.

@simonpasquier

This comment has been minimized.

Copy link
Member

simonpasquier commented Aug 1, 2018

Fixed by #4147

@lock

This comment has been minimized.

Copy link

lock bot commented Mar 22, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked and limited conversation to collaborators Mar 22, 2019

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.