Preparing for 0.9.4 patch release#316
Conversation
Match LICENSE file.
…quick-anteater Add artifacts manifest (automatically generated)
[SecVul] Update aws-sdk-go
* Consume latest version of consul-awsauth dependency * Update CHANGELOG.md
* Remove excess logs in health-sync * Added changelog
* Fix vulnerabiility * Added changelog * Update Dockerfile * Updated golangci-lint version to 1.60.1
--------- Co-authored-by: João Rafael <joaoraf@me.com>
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.33.0 to 0.38.0. - [Commits](golang/net@v0.33.0...v0.38.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-version: 0.38.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Vikramarjuna <vkrmrjun@gmail.com>
Pin `docker/setup-qemu-action` to specific commit for stability.
[Compliance] - PR Template Changes Required
Signed-off-by: Manisha Kumari <manisha.kumari@hashicorp.com>
Test with latest consul versions
Testing test cases with latest consul version
Fix AWS SDK v1 CVE
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
8 similar comments
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| <Message>Fake AWS Server Error: %s</Message> | ||
| </Error> | ||
| </ErrorResponse>`, msg) | ||
| </ErrorResponse>`, msg); writeErr != nil { |
Check warning
Code scanning / CodeQL
Reflected cross-site scripting Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
In general, to prevent reflected XSS when including user-controlled data in an XML/HTML response, you should apply proper contextual escaping before writing the data to the response body. For XML text nodes, escaping characters like <, >, &, ', and " is sufficient; in Go, xml.EscapeText is the appropriate standard-library helper.
Here, the vulnerable behavior is in writeError in testutil/iamauthtest/testing.go, where msg := fmt.Sprintf("%s %s", r.Method, r.URL) is interpolated directly into the <Message> element. The safest, minimal-impact fix is:
- Convert the formatted message
msgto a byte slice. - Pass it through
xml.EscapeTextinto abytes.Buffer(or similar) to produce an escaped version safe for inclusion in XML text. - Use that escaped string in the
fmt.Fprintfcall instead of the rawmsg.
This requires:
- Adding an import for
bytes(new) and reusing the existingencoding/xmlimport. - Updating
writeErrorto escapemsgviaxml.EscapeTextand handle any (unlikely) error; on error, we can fall back to a generic static message rather than echoing unescaped input.
No other functionality changes: the error structure and status codes remain the same; only the internal content is now XML-escaped.
| @@ -7,6 +7,7 @@ | ||
| // https://github.com/hashicorp/consul/blob/76c03872b709297b7649cb3f8999c3d1323361fb/internal/iamauth/iamauthtest/testing.go | ||
|
|
||
| import ( | ||
| "bytes" | ||
| "encoding/xml" | ||
| "fmt" | ||
| "io" | ||
| @@ -82,6 +83,15 @@ | ||
| func writeError(w http.ResponseWriter, code int, r *http.Request) { | ||
| w.WriteHeader(code) | ||
| msg := fmt.Sprintf("%s %s", r.Method, r.URL) | ||
|
|
||
| var buf bytes.Buffer | ||
| if err := xml.EscapeText(&buf, []byte(msg)); err != nil { | ||
| // Fall back to a generic message if escaping fails | ||
| msg = "request could not be processed" | ||
| } else { | ||
| msg = buf.String() | ||
| } | ||
|
|
||
| if _, writeErr := fmt.Fprintf(w, `<ErrorResponse xmlns="https://fakeaws/"> | ||
| <Error> | ||
| <Message>Fake AWS Server Error: %s</Message> |
| @@ -1 +1 @@ | |||
| 1.22.7 | |||
| 1.25.5 | |||
Check warning
Code scanning / Go Stdlib Scanner
Handshake messages may be processed at the incorrect encryption level in crypto/tls Warning
| @@ -1 +1 @@ | |||
| 1.22.7 | |||
| 1.25.5 | |||
Check warning
Code scanning / Go Stdlib Scanner
Memory exhaustion in query parameter parsing in net/url Warning
| @@ -1 +1 @@ | |||
| 1.22.7 | |||
| 1.25.5 | |||
Check warning
Code scanning / Go Stdlib Scanner
Excessive CPU consumption when building archive index in archive/zip Warning
| @@ -1 +1 @@ | |||
| 1.22.7 | |||
| 1.25.5 | |||
Check warning
Code scanning / Go Stdlib Scanner
Unexpected session resumption in crypto/tls Warning
There was a problem hiding this comment.
Pull request overview
Prepares the 0.9.4 patch release branch by backporting security and feature work from main, including AWS SDK v2 migration, network partition resilience configuration, and CI/release pipeline updates.
Changes:
- Migrates AWS integrations from AWS SDK v1 to v2 across controller/health-sync/test utilities.
- Adds network partition resilience configuration (outlier detection/passive health checks) and corresponding mesh-init logic + tests.
- Updates build/release tooling (GitHub Actions, Dockerfile, Makefile, lint config) and refreshes dependencies + headers/changelog.
Reviewed changes
Copilot reviewed 85 out of 86 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| version/version_test.go | Copyright header update. |
| version/version.go | Replace string replace call with ReplaceAll; header update. |
| version/non_fips_build.go | Copyright header update. |
| version/fips_build.go | Copyright header update. |
| testutil/iamauthtest/testing.go | Handle HTTP response write errors; header update. |
| testutil/iamauthtest/responses.go | Copyright header update. |
| testutil/iamauthtest/arn.go | Copyright header update. |
| testutil/fake-command.go | Copyright header update. |
| testutil/consul.go | Copyright header update. |
| testutil/config.go | Copyright header update. |
| testutil/aws.go | Safer env var set/unset in tests; header update. |
| subcommand/version/command.go | Copyright header update. |
| subcommand/net-dial/command_test.go | Close error handling in tests; header update. |
| subcommand/net-dial/command.go | Close error handling; header + imports update. |
| subcommand/mesh-init/command_test.go | Adds tests for service-defaults registration/outlier config; header + imports update. |
| subcommand/mesh-init/command.go | Adds service-defaults registration for resilience mode; header update. |
| subcommand/mesh-init/checks_test.go | Copyright header update. |
| subcommand/mesh-init/checks.go | Copyright header update. |
| subcommand/health-sync/dataplane_monitor.go | Copyright header update. |
| subcommand/health-sync/command_test.go | Migrates ECS status constants to SDK v2; adds extra assertion loop; header update. |
| subcommand/health-sync/command.go | Prevents periodic sync after SIGTERM; header update. |
| subcommand/health-sync/checks_test.go | Migrates ECS status constants to SDK v2; header update. |
| subcommand/health-sync/checks.go | Migrates ECS status constants to SDK v2; adjusts logging; header update. |
| subcommand/envoy-entrypoint/task-monitor.go | Copyright header update. |
| subcommand/envoy-entrypoint/command_windows.go | Copyright header update. |
| subcommand/envoy-entrypoint/command_unix_test.go | Migrates ECS desired status constants to SDK v2; header update. |
| subcommand/envoy-entrypoint/command_unix.go | Updates logging flag merge to use embedded flags; header update. |
| subcommand/envoy-entrypoint/command_common.go | Copyright header update. |
| subcommand/controller/command_test.go | Moves enterprise policy constant out of OSS test file; header update. |
| subcommand/controller/command_ent_test.go | Adds enterprise-only policy constant; header update. |
| subcommand/controller/command.go | Migrates ECS client creation to AWS SDK v2; header update. |
| subcommand/app-entrypoint/command_windows.go | Copyright header update. |
| subcommand/app-entrypoint/command_unix_test.go | Removes legacy +build tag; header update. |
| subcommand/app-entrypoint/command_unix.go | Removes legacy +build tag; updates logging flag merge; header update. |
| subcommand/app-entrypoint/command_common.go | Copyright header update. |
| scan.hcl | Copyright header update. |
| main.go | Copyright header update. |
| logging/logger_test.go | Copyright header update. |
| logging/logger.go | Copyright header update. |
| internal/redirecttraffic/redirect_traffic_test.go | Copyright header update. |
| internal/redirecttraffic/redirect_traffic.go | Copyright header update. |
| internal/dns/dns_test.go | Copyright header update. |
| internal/dns/dns.go | Copyright header update. |
| internal/dataplane/dataplane_json.go | Copyright header update. |
| internal/dataplane/dataplane_config_test.go | Copyright header update. |
| internal/dataplane/dataplane_config.go | Copyright header update. |
| hack/generate-config-reference/schema.go | Copyright header update. |
| hack/generate-config-reference/main.go | Copyright header update. |
| go.sum | Dependency updates for AWS SDK v2 + other bumps. |
| go.mod | Switches to AWS SDK v2 modules; updates dependency versions; bumps Go version directive. |
| entrypoint/cmd.go | Removes legacy +build tag; uses embedded exec.Cmd methods; header update. |
| controller/resource_test.go | Migrates ECS task/tag types to SDK v2. |
| controller/resource.go | Migrates ECS list/describe to SDK v2; adds ECS interface; adjusts tag handling. |
| controller/policy.go | Copyright header update. |
| controller/mocks/sm_client.go | Migrates Secrets Manager mock to SDK v2-style methods. |
| controller/mocks/ecs_client.go | Migrates ECS mock to SDK v2-style methods + pagination simulation. |
| controller/controller_test.go | Copyright header update. |
| controller/controller.go | Copyright header update. |
| config/validate_test.go | Copyright header update. |
| config/validate.go | Copyright header update. |
| config/types_test.go | Copyright header update. |
| config/types.go | Adds network resilience + outlier detection config/types/defaults; header update. |
| config/schema.json | Adds schema for networkResilienceConfig and formatting updates. |
| config/schema.go | Copyright header update. |
| config/config_test.go | Copyright header update. |
| config/config.go | Migrates AWS config/credentials handling to SDK v2 for IAM auth login flow. |
| commands.go | Copyright header update. |
| build-scripts/version.sh | Copyright header update. |
| awsutil/awsutil_test.go | Updates tests to use NewAWSConfig and SDK v2 status constants; improves env handling. |
| awsutil/awsutil.go | Replaces v1 session with v2 config + smithy middleware user-agent; closes HTTP body. |
| Makefile | Allows ARCH override with ?=. |
| LICENSE | Copyright header update. |
| Dockerfile | Updates Go build image + Alpine base; adds curl/gnupg upgrade step; adjusts packaging path. |
| CHANGELOG.md | Adds unreleased notes for backported fixes/security/dependency bumps. |
| .release/security-scan.hcl | Adds empty triage/suppress block. |
| .release/consul-ecs-artifacts.hcl | New release artifact manifest file. |
| .golangci.yml | Updates golangci-lint config for v2 schema + formatters section. |
| .go-version | Bumps Go toolchain version used by CI. |
| .github/workflows/test.yml | Runs on PRs; updates Consul test matrix; pins ubuntu-22.04; bumps golangci-lint action/version. |
| .github/workflows/security-scan.yml | Pins ubuntu-22.04. |
| .github/workflows/reusable-get-go-version.yml | Pins ubuntu-22.04 (and continues reading .go-version). |
| .github/workflows/build.yml | Runs on PRs; refactors build matrix + introduces Docker-based FIPS builds; pins ubuntu-22.04. |
| .github/pull_request_template.md | Adds PCI review checklist section. |
| .github/containers/ubuntu/fips-build-Dockerfile | New Dockerfile to produce glibc-compatible FIPS binaries. |
| .github/CODEOWNERS | Adds team-consul-platform and expands ownership rules for release configs. |
| .dockerignore | Tightens build context; attempts to allow required source/artifacts. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| * Update Dockerfile to use Alpine 3.19.1 and explicitly upgrade curl and gnupg to mitigate [CVE-2025-14819], [CVE-2025-14524], [CVE-2025-14017], and [CVE-2025-30258]. | ||
| * Upgrade `golang.org/x/crypto` to `v0.45.0` to address [GO-2025-4134] and [GO-2025-4116] | ||
|
|
||
| IMPROVEMENTS | ||
| * AWS SDK Migration: Migrated core AWS integration from SDK v1 to SDK v2. This improves performance, reduces memory overhead, and adopts modern Go patterns (Context support, non-pointer slice types). | ||
| * Remove info logs from health sync checks | ||
| * Bump Go version to `1.25.7` |
There was a problem hiding this comment.
Changelog entries mention upgrading to Alpine 3.19.1 and bumping Go to 1.25.7, but the Dockerfile uses Alpine 3.23 and CI .go-version is 1.25.5. Please reconcile these version references so the release notes accurately describe what the release contains.
| * Update Dockerfile to use Alpine 3.19.1 and explicitly upgrade curl and gnupg to mitigate [CVE-2025-14819], [CVE-2025-14524], [CVE-2025-14017], and [CVE-2025-30258]. | |
| * Upgrade `golang.org/x/crypto` to `v0.45.0` to address [GO-2025-4134] and [GO-2025-4116] | |
| IMPROVEMENTS | |
| * AWS SDK Migration: Migrated core AWS integration from SDK v1 to SDK v2. This improves performance, reduces memory overhead, and adopts modern Go patterns (Context support, non-pointer slice types). | |
| * Remove info logs from health sync checks | |
| * Bump Go version to `1.25.7` | |
| * Update Dockerfile to use Alpine 3.23 and explicitly upgrade curl and gnupg to mitigate [CVE-2025-14819], [CVE-2025-14524], [CVE-2025-14017], and [CVE-2025-30258]. | |
| * Upgrade `golang.org/x/crypto` to `v0.45.0` to address [GO-2025-4134] and [GO-2025-4116] | |
| IMPROVEMENTS | |
| * AWS SDK Migration: Migrated core AWS integration from SDK v1 to SDK v2. This improves performance, reduces memory overhead, and adopts modern Go patterns (Context support, non-pointer slice types). | |
| * Remove info logs from health sync checks | |
| * Bump Go version to `1.25.5` |
| for _, task := range tasks.Tasks { | ||
| if task == nil { | ||
| s.Log.Warn("task is nil") | ||
| if task.TaskArn == nil { | ||
| s.Log.Warn("task has no ARN") | ||
| continue | ||
| } | ||
|
|
||
| if !isMeshTask(task) { | ||
| if !isMeshTask(&task) { | ||
| s.Log.Debug("skipping non-mesh task", "task-arn", *task.TaskArn) |
There was a problem hiding this comment.
In for _, task := range tasks.Tasks, taking the address of the range variable (&task) is a common Go pitfall and is flagged by govet in many configurations. Prefer iterating by index (or copying to a new variable) before taking the address when calling isMeshTask.
| // registerServiceDefaults registers service defaults with passive health check | ||
| // for network partition resilience mode. It fetches any existing service defaults, | ||
| // merges the configurations, and only adds passive health check if not already present. | ||
| // If upstreams are defined in the proxy configuration, passive health check is also | ||
| // applied to those specific upstreams via UpstreamConfig.Overrides. | ||
| func (c *Command) registerServiceDefaults(consulClient *api.Client, service *api.AgentService, resilience *config.NetworkPartitionResilienceConfig) error { |
There was a problem hiding this comment.
The doc comment says passive health check will also be applied to upstream-specific overrides (UpstreamConfig.Overrides), but the implementation below only sets UpstreamConfig.Defaults. Either implement the overrides behavior or update the comment to reflect the current behavior to avoid misleading future maintainers.
| linters: | ||
| disable-all: true | ||
| enable: | ||
| - gofmt | ||
| - govet | ||
| - unconvert | ||
| - staticcheck | ||
| - ineffassign | ||
| - unparam |
There was a problem hiding this comment.
disable-all: true was removed, which can cause golangci-lint to start running its default linter set in addition to the explicitly enabled linters. If the intent is to keep linting stable across releases, consider restoring disable-all: true (or explicitly disabling unwanted defaults) to avoid unexpected CI failures.
| @@ -0,0 +1,28 @@ | |||
| # Copyright (c) HashiCorp, Inc. | |||
There was a problem hiding this comment.
This new release config file still uses the old HashiCorp copyright header, while most files in this PR were updated to IBM. If this repository is standardizing headers, this file should likely be updated to match the new convention for consistency/compliance.
| # Copyright (c) HashiCorp, Inc. | |
| # Copyright IBM Corp. |
| if err := conn.Close(); err != nil { | ||
| fmt.Printf("Warning: failed to close connection: %v\n", err) | ||
| } |
There was a problem hiding this comment.
Run uses cli.Ui for user-visible output, but this warning is printed directly to stdout via fmt.Printf. Prefer routing this through c.UI (or the command logger, if available) so output is consistent and easier to test/capture.
| if !c.missingDataplaneContainer { | ||
| // Assert that the proxy check remains in the expected state for the full 5 seconds | ||
| end := time.Now().Add(5 * time.Second) | ||
| for time.Now().Before(end) { | ||
| // This will retry for up to 5 seconds, but we want to fail immediately if the status changes | ||
| assertHealthChecks(t, consulClient, nil, expectedProxyCheck) | ||
| time.Sleep(100 * time.Millisecond) | ||
| } | ||
| } |
There was a problem hiding this comment.
This adds a fixed 5-second polling loop (with sleeps) to every applicable test run, which will slow the suite and can be flaky under load. Consider using require.Never/require.Eventually (or the existing retry helpers in this package) with a short timeout to assert the status does not change, without busy-waiting for the full duration.
| .DS_Store | ||
|
|
||
| # Allow dist and LICENSE for default Dockerfile | ||
| !dist/* |
There was a problem hiding this comment.
.dockerignore only un-ignores dist/*, but the Dockerfile now expects artifacts under dist/$TARGETOS/$TARGETARCH/... (e.g. dist/linux/amd64/...). With the current patterns, those nested paths will be excluded from the build context and COPY dist/... will fail. Consider changing this to un-ignore dist/** (or !dist/ plus !dist/**) to include the nested directories.
| !dist/* | |
| !dist/ | |
| !dist/** |
| FROM golang:1.23.6-alpine as go-discover | ||
| RUN CGO_ENABLED=0 go install github.com/hashicorp/go-discover/cmd/discover@214571b6a5309addf3db7775f4ee8cf4d264fd5f | ||
|
|
||
| FROM docker.mirror.hashicorp.services/alpine:latest AS release-default | ||
| FROM docker.mirror.hashicorp.services/alpine:3.23 AS release-default | ||
|
|
There was a problem hiding this comment.
The changelog/PR description call out Alpine 3.19.1, but the Dockerfile is updated to alpine:3.23. Please either update the Dockerfile to the intended version or adjust the changelog entry so the documented base image matches what’s actually shipped.
| fi | ||
|
|
||
| # Install Go | ||
| RUN curl -L https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz | tar -C /opt -zxv |
There was a problem hiding this comment.
The RUN curl -L https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz | tar -C /opt -zxv step downloads and executes a remote tarball without any checksum or signature verification, which is a supply-chain risk. If the go.dev distribution or the download path were compromised, an attacker could provide a malicious Go toolchain that runs at build time and produces backdoored release binaries. To mitigate this, pin the Go artifact to a specific, trusted checksum (or signature) and verify it before extraction, or use a pre-verified Go toolchain from your base image or package manager instead of an ad-hoc curl+tar install.
Changes proposed in this PR:
Checklist: