Update golang.org/x/net to address CVE-2022-41723

[jamonation]

Output of restic version

go run ./cmd/restic/ version
restic 0.15.1 compiled with go1.20.2 on linux/amd64

What should restic do differently? Which functionality do you think we should add?

Update golang.org/x/net from 0.5.0 to 0.7.0 (along with related dependencies).

What are you trying to do? What problem would this solve?

This update addresses CVE-2022-41723, which can lead to a Denial of Service. Scanning the 0.15.1 tag with Trivy shows the issue:

trivy fs go.mod
2023-03-29T10:42:54.736-0400	INFO	Vulnerability scanning is enabled
2023-03-29T10:42:54.736-0400	INFO	Secret scanning is enabled
2023-03-29T10:42:54.736-0400	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-03-29T10:42:54.736-0400	INFO	Please see also https://aquasecurity.github.io/trivy/v0.38/docs/secret/scanning/#recommendation for faster secret detection
2023-03-29T10:42:55.424-0400	INFO	Number of language-specific files: 1
2023-03-29T10:42:55.424-0400	INFO	Detecting gomod vulnerabilities...

go.mod (gomod)

Total: 2 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌──────────────────┬─────────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│     Library      │    Vulnerability    │ Severity │ Installed Version │ Fixed Version │                            Title                            │
├──────────────────┼─────────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2022-41723      │ HIGH     │ 0.5.0             │ 0.7.0         │ golang.org/x/net/http2: avoid quadratic complexity in HPACK │
│                  │                     │          │                   │               │ decoding                                                    │
│                  │                     │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-41723                  │
│                  ├─────────────────────┼──────────┤                   │               ├─────────────────────────────────────────────────────────────┤
│                  │ GHSA-vvpx-j8f3-3w6h │ UNKNOWN  │                   │               │ Uncontrolled Resource Consumption                           │
│                  │                     │          │                   │               │ https://github.com/advisories/GHSA-vvpx-j8f3-3w6h           │
└──────────────────┴─────────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

Updating the golang.org/x/net to the patched 0.7.0 version mitigates the vulnerability. Here's the full diff:

git diff go.mod
diff --git a/go.mod b/go.mod
index a172c6992..54596ca7c 100644
--- a/go.mod
+++ b/go.mod
@@ -25,12 +25,12 @@ require (
        github.com/spf13/cobra v1.6.1
        github.com/spf13/pflag v1.0.5
        golang.org/x/crypto v0.5.0
-       golang.org/x/net v0.5.0
+       golang.org/x/net v0.7.0
        golang.org/x/oauth2 v0.4.0
        golang.org/x/sync v0.1.0
-       golang.org/x/sys v0.4.0
-       golang.org/x/term v0.4.0
-       golang.org/x/text v0.6.0
+       golang.org/x/sys v0.5.0
+       golang.org/x/term v0.5.0
+       golang.org/x/text v0.7.0
        google.golang.org/api v0.108.0
 )

All tests seem to pass when I run make test as well. I'll open an associated PR if that's the best way to proceed?

make test
go test ./cmd/... ./internal/...
?   	github.com/restic/restic/internal/backend/mock	[no test files]
?   	github.com/restic/restic/internal/backend/sema	[no test files]
?   	github.com/restic/restic/internal/backend/test	[no test files]
?   	github.com/restic/restic/internal/test	[no test files]
?   	github.com/restic/restic/internal/ui/signals	[no test files]
ok  	github.com/restic/restic/cmd/restic	27.407s
ok  	github.com/restic/restic/internal/archiver	2.528s
ok  	github.com/restic/restic/internal/backend	0.167s
ok  	github.com/restic/restic/internal/backend/azure	0.004s
ok  	github.com/restic/restic/internal/backend/b2	0.010s
ok  	github.com/restic/restic/internal/backend/dryrun	0.004s
ok  	github.com/restic/restic/internal/backend/gs	0.014s
ok  	github.com/restic/restic/internal/backend/layout	0.070s
ok  	github.com/restic/restic/internal/backend/limiter	0.007s
ok  	github.com/restic/restic/internal/backend/local	3.702s
ok  	github.com/restic/restic/internal/backend/location	0.025s
ok  	github.com/restic/restic/internal/backend/mem	1.520s
ok  	github.com/restic/restic/internal/backend/rclone	0.014s
ok  	github.com/restic/restic/internal/backend/rest	0.008s
ok  	github.com/restic/restic/internal/backend/retry	0.042s
ok  	github.com/restic/restic/internal/backend/s3	0.009s
ok  	github.com/restic/restic/internal/backend/sftp	2.757s
ok  	github.com/restic/restic/internal/backend/swift	0.008s
ok  	github.com/restic/restic/internal/bloblru	0.010s
ok  	github.com/restic/restic/internal/cache	0.769s
ok  	github.com/restic/restic/internal/checker	3.016s
ok  	github.com/restic/restic/internal/crypto	0.516s
ok  	github.com/restic/restic/internal/debug	0.005s
ok  	github.com/restic/restic/internal/dump	0.117s
ok  	github.com/restic/restic/internal/errors	0.003s
ok  	github.com/restic/restic/internal/filter	0.379s
ok  	github.com/restic/restic/internal/fs	0.804s
ok  	github.com/restic/restic/internal/fuse	0.037s
ok  	github.com/restic/restic/internal/hashing	0.041s
ok  	github.com/restic/restic/internal/index	0.566s
ok  	github.com/restic/restic/internal/migrations	0.010s
ok  	github.com/restic/restic/internal/options	0.007s
ok  	github.com/restic/restic/internal/pack	0.017s
ok  	github.com/restic/restic/internal/repository	5.616s
ok  	github.com/restic/restic/internal/restic	2.191s
ok  	github.com/restic/restic/internal/restorer	0.180s
ok  	github.com/restic/restic/internal/selfupdate	0.042s
ok  	github.com/restic/restic/internal/textfile	0.005s
ok  	github.com/restic/restic/internal/ui	0.006s
ok  	github.com/restic/restic/internal/ui/backup	0.017s
ok  	github.com/restic/restic/internal/ui/progress	0.214s
ok  	github.com/restic/restic/internal/ui/table	0.002s
ok  	github.com/restic/restic/internal/ui/termstatus	0.003s
ok  	github.com/restic/restic/internal/walker	0.008s

Did restic help you today? Did it make you happy in any way?

Restic is great! I added it to Wolfi OS for use with container workloads.

[MichaelEischer]

go.mod has already been updated on the master branch.

[jamonation]

Right, I see dependabot is on the case there. Any thoughts about a 0.15.1-r1 or similar release with the updated module(s)? I'll close this in any case, thanks for the follow up!

[berler]

Is there a timeline on when there will be a version released with this fix?

[jamonation]

@berler not sure how you're using restic, but I can help until there's a new release if you are building from source, or using an apk based Linux distro?

[berler]

We'd like to avoid building from source if possible. Currently we just download the binary from the release page (is this effectively the same as if you installed from a package and then ran the self-update script?).

[markus-as]

@berler The problem is mentioned in the release notes of the current version

https://github.com/restic/restic/releases/tag/v0.15.2