The vendored Azure autorest may present security issues

[nim-nim]

A race condition was discovered in the Azure Active Directory client of github.com/Azure/go-autorest/ when refreshing auth tokens, requiring an API change to fix and the bump of the autorest major version from 9 to 10.

prometheus is still built against an ancient 7.2.2 pre-10 autorest version with the security issue (and probably many others fixed since).

It would be awfully nice if it could be switched to the latest autorest 10 release and the matching azure 14.x release (which is out of beta unlike the currently vendored version)

I've no idea if the race is exploitable but in such cases it's better not to try to be smarter than attackers and just apply security fixes.

[brian-brazil]

Would you like to send a PR updating the vendoring?

[nim-nim]

Hi Brian,

I'd love to if I could, but my Go foo is not sufficient right now I fear.

[brian-brazil]

It's only a govendor fetch, and then verifying that it works.

[nim-nim]

I'm pretty sure the current vendored azure is so ancient, it's not just changing the azure references to the latest releases, but it also needs some code adjustments. And since it has security implications, really not something I'd trust myself with right now (maybe later when I have more Go experience)

[bege13mot]

Hi everyone,

I'm new in Go and Prometheus community. Hope my pull request will be helpful.

[simonpasquier]

Fixed by #4147

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.