search

kubernetes-sigs / prometheus-adapter

An implementation of the custom.metrics.k8s.io API using Prometheus
Apache License 2.0
1.92k stars 554 forks source link

Fix GO-2022-0969 #547

Closed olivierlemasle closed 1 year ago

olivierlemasle commented 1 year ago

govulncheck reports that prometheus-adapter is vulnerable to GO-2022-0969:

``` Vulnerability #1: GO-2022-0969 HTTP/2 server connections can hang forever waiting for a clean shutdown that was preempted by a fatal error. This condition can be exploited by a malicious client to cause a denial of service. Call stacks in your code: #1: for function Server.ServeConn sigs.k8s.io/prometheus-adapter/cmd/adapter.main cmd/adapter/adapter.go:353:19 sigs.k8s.io/custom-metrics-apiserver/pkg/cmd.AdapterBase.Run /home/olivier/gowork/pkg/mod/sigs.k8s.io/custom-metrics-apiserver@v1.24.0/pkg/cmd/builder.go:288:49 k8s.io/apiserver/pkg/server.preparedGenericAPIServer.Run /home/olivier/gowork/pkg/mod/k8s.io/apiserver@v0.24.3/pkg/server/genericapiserver.go:455:55 k8s.io/apiserver/pkg/server.preparedGenericAPIServer.NonBlockingRun /home/olivier/gowork/pkg/mod/k8s.io/apiserver@v0.24.3/pkg/server/genericapiserver.go:522:64 k8s.io/apiserver/pkg/server.SecureServingInfo.Serve /home/olivier/gowork/pkg/mod/k8s.io/apiserver@v0.24.3/pkg/server/secure_serving.go:211:18 k8s.io/apiserver/pkg/server.RunServer /home/olivier/gowork/pkg/mod/k8s.io/apiserver@v0.24.3/pkg/server/secure_serving.go:240:2 k8s.io/apiserver/pkg/server.RunServer$2 /home/olivier/gowork/pkg/mod/k8s.io/apiserver@v0.24.3/pkg/server/secure_serving.go:250:22 net/http.Server.Serve /usr/lib/golang/src/net/http/server.go:3102:3 net/http.conn.serve /usr/lib/golang/src/net/http/server.go:1899:7 golang.org/x/net/http2.ConfigureServer$1 /home/olivier/gowork/pkg/mod/golang.org/x/net@v0.0.0-20220425223048-2871e0cb64e4/http2/server.go:294:17 golang.org/x/net/http2.Server.ServeConn Found in: golang.org/x/net/http2@v0.0.0-20220425223048-2871e0cb64e4 Fixed in: golang.org/x/net/http2@v0.0.0-20220906165146-f3363e06e74c More info: https://pkg.go.dev/vuln/GO-2022-0969 ```

Updating golang.org/x/net to fix the issue.

/kind bug

k8s-ci-robot commented 1 year ago

@olivierlemasle: This issue is currently awaiting triage.

If prometheus-adapter contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
dgrisonnet commented 1 year ago

/lgtm /approve

k8s-ci-robot commented 1 year ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dgrisonnet, olivierlemasle

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/kubernetes-sigs/prometheus-adapter/blob/master/OWNERS)~~ [dgrisonnet] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment