search

benthosdev / benthos

Fancy stream processing made operationally mundane
https://www.benthos.dev
MIT License
7.68k stars 752 forks source link

fix vulnerability GO-2024-2687 HTTP/2 CONTINUATION flood in net/http #2503

Closed peczenyj closed 1 month ago

peczenyj commented 1 month ago

using govulncheck we got this issue:

=== Symbol Results ===

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.22.0
    Fixed in: golang.org/x/net@v0.23.0
    Example traces found:
      #1: internal/impl/azure/input_cosmosdb.go:10:2: azure.init calls runtime.init, which eventually calls http2.ConfigureTransports
      #2: internal/impl/pure/output_drop_on.go:259:23: pure.dropOnWriter.loop calls http2.ConnectionError.Error
      #3: cmd/tools/benthos_docs_gen/main.go:119:20: benthos_docs_gen.doTemplates calls fmt.Sprintf, which eventually calls http2.ErrCode.String
      #4: cmd/tools/benthos_docs_gen/main.go:119:20: benthos_docs_gen.doTemplates calls fmt.Sprintf, which eventually calls http2.FrameHeader.String
      #5: cmd/tools/benthos_docs_gen/main.go:119:20: benthos_docs_gen.doTemplates calls fmt.Sprintf, which eventually calls http2.FrameType.String
      #6: internal/serverless/lambda/lambda.go:31:22: lambda.Run calls os.Getenv, which eventually calls http2.Framer.ReadFrame
      #7: internal/serverless/lambda/lambda.go:31:22: lambda.Run calls os.Getenv, which eventually calls http2.Framer.WriteContinuation
      #8: internal/serverless/lambda/lambda.go:31:22: lambda.Run calls os.Getenv, which eventually calls http2.Framer.WriteData
      #9: internal/serverless/lambda/lambda.go:31:22: lambda.Run calls os.Getenv, which eventually calls http2.Framer.WriteHeaders
      #10: internal/serverless/lambda/lambda.go:31:22: lambda.Run calls os.Getenv, which eventually calls http2.Framer.WritePing
      #11: internal/serverless/lambda/lambda.go:31:22: lambda.Run calls os.Getenv, which eventually calls http2.Framer.WriteRSTStream
      #12: internal/serverless/lambda/lambda.go:31:22: lambda.Run calls os.Getenv, which eventually calls http2.Framer.WriteSettings
      #13: internal/serverless/lambda/lambda.go:31:22: lambda.Run calls os.Getenv, which eventually calls http2.Framer.WriteSettingsAck
      #14: internal/serverless/lambda/lambda.go:31:22: lambda.Run calls os.Getenv, which eventually calls http2.Framer.WriteWindowUpdate
      #15: internal/impl/pure/output_drop_on.go:259:23: pure.dropOnWriter.loop calls http2.GoAwayError.Error
      #16: cmd/tools/benthos_docs_gen/main.go:119:20: benthos_docs_gen.doTemplates calls fmt.Sprintf, which eventually calls http2.Setting.String
      #17: cmd/tools/benthos_docs_gen/main.go:119:20: benthos_docs_gen.doTemplates calls fmt.Sprintf, which eventually calls http2.SettingID.String
      #18: internal/serverless/lambda/lambda.go:31:22: lambda.Run calls os.Getenv, which eventually calls http2.SettingsFrame.ForeachSetting
      #19: internal/impl/pure/output_drop_on.go:259:23: pure.dropOnWriter.loop calls http2.StreamError.Error
      #20: internal/impl/influxdb/metrics_influxdb.go:396:16: influxdb.influxDBMetrics.Close calls influxdb1.client.Close, which eventually calls http2.Transport.NewClientConn
      #21: internal/serverless/lambda/lambda.go:91:14: lambda.Run calls lambda.Start, which eventually calls http2.Transport.RoundTrip
      #22: internal/serverless/lambda/lambda.go:37:14: lambda.Run calls fmt.Fprintf, which eventually calls http2.chunkWriter.Write
      #23: internal/impl/pure/output_drop_on.go:259:23: pure.dropOnWriter.loop calls http2.connError.Error
      #24: internal/impl/pure/output_drop_on.go:259:23: pure.dropOnWriter.loop calls http2.duplicatePseudoHeaderError.Error
      #25: internal/cli/studio/sync_schema.go:70:4: studio.syncSchemaCommand calls http2.gzipReader.Close
      #26: internal/config/lint.go:89:34: config.ReadFileEnvSwap calls io.ReadAll, which calls http2.gzipReader.Read
      #27: internal/impl/pure/output_drop_on.go:259:23: pure.dropOnWriter.loop calls http2.headerFieldNameError.Error
      #28: internal/impl/pure/output_drop_on.go:259:23: pure.dropOnWriter.loop calls http2.headerFieldValueError.Error
      #29: internal/serverless/lambda/lambda.go:91:14: lambda.Run calls lambda.Start, which eventually calls http2.noDialH2RoundTripper.RoundTrip
      #30: internal/impl/pure/output_drop_on.go:259:23: pure.dropOnWriter.loop calls http2.pseudoHeaderError.Error
      #31: internal/serverless/lambda/lambda.go:37:14: lambda.Run calls fmt.Fprintf, which eventually calls http2.stickyErrWriter.Write
      #32: internal/cli/studio/sync_schema.go:70:4: studio.syncSchemaCommand calls http2.transportResponseBody.Close
      #33: internal/config/lint.go:89:34: config.ReadFileEnvSwap calls io.ReadAll, which calls http2.transportResponseBody.Read
      #34: cmd/tools/benthos_docs_gen/main.go:119:20: benthos_docs_gen.doTemplates calls fmt.Sprintf, which eventually calls http2.writeData.String
Jeffail commented 1 month ago

Thanks @peczenyj!