phisco / crossplane

Cloud Native Control Planes
https://crossplane.io
Apache License 2.0
1 stars 0 forks source link

chore(deps): update module github.com/rs/cors to v1.11.0 [security] (release-1.13) - abandoned - autoclosed #310

Closed phisco-renovate[bot] closed 1 month ago

phisco-renovate[bot] commented 3 months ago

This PR contains the following updates:

Package Type Update Change
github.com/rs/cors indirect minor v1.9.0 -> v1.11.0

Denial of service via malicious preflight requests in github.com/rs/cors

GHSA-mh55-gqvf-xfwm / GO-2024-2883

More information #### Details Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service. #### Severity Unknown #### References - [https://github.com/rs/cors/pull/171](https://togithub.com/rs/cors/pull/171) - [https://github.com/rs/cors/issues/170](https://togithub.com/rs/cors/issues/170) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-2883) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)).

Denial of service via malicious preflight requests in github.com/rs/cors

GHSA-mh55-gqvf-xfwm / GO-2024-2883

More information #### Details Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service. #### Severity Moderate #### References - [https://github.com/rs/cors/issues/170](https://togithub.com/rs/cors/issues/170) - [https://github.com/rs/cors/pull/171](https://togithub.com/rs/cors/pull/171) - [https://github.com/rs/cors/commit/4c32059b2756926619f6bf70281b91be7b5dddb2](https://togithub.com/rs/cors/commit/4c32059b2756926619f6bf70281b91be7b5dddb2) - [https://github.com/rs/cors](https://togithub.com/rs/cors) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-mh55-gqvf-xfwm) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).

Release Notes

rs/cors (github.com/rs/cors) ### [`v1.11.0`](https://togithub.com/rs/cors/compare/v1.10.1...v1.11.0) [Compare Source](https://togithub.com/rs/cors/compare/v1.10.1...v1.11.0) ### [`v1.10.1`](https://togithub.com/rs/cors/compare/v1.10.0...v1.10.1) [Compare Source](https://togithub.com/rs/cors/compare/v1.10.0...v1.10.1) ### [`v1.10.0`](https://togithub.com/rs/cors/compare/v1.9.0...v1.10.0) [Compare Source](https://togithub.com/rs/cors/compare/v1.9.0...v1.10.0)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.



This PR has been generated by Renovate Bot.

phisco-renovate[bot] commented 3 months ago

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

The artifact failure details are included below:

File name: go.mod
Command failed: install-tool golang $(grep -oP "^toolchain go\K.+" go.mod)
File name: go.mod
Command failed: make generate
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
    panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xa07b8f]

goroutine 111 [running]:
go/types.(*Checker).handleBailout(0xc0017f7a00, 0xc00170bd40)
    /opt/containerbase/tools/golang/1.22.5/src/go/types/check.go:367 +0x88
panic({0xbbe580?, 0x12a64b0?})
    /opt/containerbase/tools/golang/1.22.5/src/runtime/panic.go:770 +0x132
go/types.(*StdSizes).Sizeof(0x0, {0xdb81d8, 0x12aed20})
    /opt/containerbase/tools/golang/1.22.5/src/go/types/sizes.go:228 +0x30f
go/types.(*Config).sizeof(...)
    /opt/containerbase/tools/golang/1.22.5/src/go/types/sizes.go:333
go/types.representableConst.func1({0xdb81d8?, 0x12aed20?})
    /opt/containerbase/tools/golang/1.22.5/src/go/types/const.go:76 +0x9e
go/types.representableConst({0xdbe530, 0x1279cc0}, 0xc0017f7a00, 0x12aed20, 0xc001708ed8)
    /opt/containerbase/tools/golang/1.22.5/src/go/types/const.go:106 +0x2c7
go/types.(*Checker).representation(0xc0017f7a00, 0xc00171a740, 0x12aed20)
    /opt/containerbase/tools/golang/1.22.5/src/go/types/const.go:256 +0x65
go/types.(*Checker).representable(0xc0017f7a00, 0xc00171a740, 0x12aed20)
    /opt/containerbase/tools/golang/1.22.5/src/go/types/const.go:239 +0x26
go/types.(*Checker).shift(0xc0017f7a00, 0xc00171a700, 0xc00171a740, {0xdbc2c8, 0xc0018049c0}, 0x14)
    /opt/containerbase/tools/golang/1.22.5/src/go/types/expr.go:650 +0x1eb
go/types.(*Checker).binary(0xc0017f7a00, 0xc00171a700, {0xdbc2c8, 0xc0018049c0}, {0xdbc7d8, 0xc001816460}, {0xdbc7d8, 0xc001816480}, 0x14, 0x2c8734)
    /opt/containerbase/tools/golang/1.22.5/src/go/types/expr.go:796 +0x150
go/types.(*Checker).exprInternal(0xc0017f7a00, 0x0, 0xc00171a700, {0xdbc2c8, 0xc0018049c0}, {0x0, 0x0})
    /opt/containerbase/tools/golang/1.22.5/src/go/types/expr.go:1416 +0x206
go/types.(*Checker).rawExpr(0xc0017f7a00, 0x0, 0xc00171a700, {0xdbc2c8?, 0xc0018049c0?}, {0x0?, 0x0?}, 0x0)
    /opt/containerbase/tools/golang/1.22.5/src/go/types/expr.go:979 +0x19e
go/types.(*Checker).expr(0xc0017f7a00, 0x0?, 0xc00171a700, {0xdbc2c8?, 0xc0018049c0?})
    /opt/containerbase/tools/golang/1.22.5/src/go/types/expr.go:1513 +0x30
go/types.(*Checker).constDecl(0xc0017f7a00, 0xc001294960, {0x0, 0x0}, {0xdbc2c8, 0xc0018049c0}, 0x0)
    /opt/containerbase/tools/golang/1.22.5/src/go/types/decl.go:488 +0x2f1
go/types.(*Checker).objDecl(0xc0017f7a00, {0xdc3c60, 0xc001294960}, 0x0)
    /opt/containerbase/tools/golang/1.22.5/src/go/types/decl.go:191 +0xa49
go/types.(*Checker).ident(0xc0017f7a00, 0xc00171a6c0, 0xc00117fe60, 0x0, 0x0)
    /opt/containerbase/tools/golang/1.22.5/src/go/types/typexpr.go:62 +0x250
go/types.(*Checker).exprInternal(0xc0017f7a00, 0x0, 0xc00171a6c0, {0xdbad98, 0xc00117fe60}, {0x0, 0x0})
    /opt/containerbase/tools/golang/1.22.5/src/go/types/expr.go:1033 +0x138
go/types.(*Checker).rawExpr(0xc0017f7a00, 0x0, 0xc00171a6c0, {0xdbad98?, 0xc00117fe60?}, {0x0?, 0x0?}, 0x0)
    /opt/containerbase/tools/golang/1.22.5/src/go/types/expr.go:979 +0x19e
go/types.(*Checker).expr(0xc0017f7a00, 0xc00170ada0?, 0xc00171a6c0, {0xdbad98?, 0xc00117fe60?})
    /opt/containerbase/tools/golang/1.22.5/src/go/types/expr.go:1513 +0x30
go/types.(*Checker).binary(0xc0017f7a00, 0xc00171a680, {0xdbc2c8, 0xc001804900}, {0xdbad98, 0xc00117fe40}, {0xdbad98, 0xc00117fe60}, 0xc, 0x2c7eb5)
    /opt/containerbase/tools/golang/1.22.5/src/go/types/expr.go:784 +0xcc
go/types.(*Checker).exprInternal(0xc0017f7a00, 0x0, 0xc00171a680, {0xdbc2c8, 0xc001804900}, {0x0, 0x0})
    /opt/containerbase/tools/golang/1.22.5/src/go/types/expr.go:1416 +0x206
go/types.(*Checker).rawExpr(0xc0017f7a00, 0x0, 0xc00171a680, {0xdbc2c8?, 0xc001804900?}, {0x0?, 0x0?}, 0x0)
    /opt/containerbase/tools/golang/1.22.5/src/go/types/expr.go:979 +0x19e
go/types.(*Checker).expr(0xc0017f7a00, 0xc00128ede0?, 0xc00171a680, {0xdbc2c8?, 0xc001804900?})
    /opt/containerbase/tools/golang/1.22.5/src/go/types/expr.go:1513 +0x30
go/types.(*Checker).constDecl(0xc0017f7a00, 0xc00128eea0, {0x0, 0x0}, {0xdbc2c8, 0xc001804900}, 0x0)
    /opt/containerbase/tools/golang/1.22.5/src/go/types/decl.go:488 +0x2f1
go/types.(*Checker).objDecl(0xc0017f7a00, {0xdc3c60, 0xc00128eea0}, 0x0)
    /opt/containerbase/tools/golang/1.22.5/src/go/types/decl.go:191 +0xa49
go/types.(*Checker).packageObjects(0xc0017f7a00)
    /opt/containerbase/tools/golang/1.22.5/src/go/types/resolver.go:693 +0x4dd
go/types.(*Checker).checkFiles(0xc0017f7a00, {0xc001129900, 0xa, 0xa})
    /opt/containerbase/tools/golang/1.22.5/src/go/types/check.go:408 +0x1a5
go/types.(*Checker).Files(...)
    /opt/containerbase/tools/golang/1.22.5/src/go/types/check.go:372
sigs.k8s.io/controller-tools/pkg/loader.(*loader).typeCheck(0xc000287440, 0xc000390480)
    /go/pkg/mod/sigs.k8s.io/controller-tools@v0.12.1/pkg/loader/loader.go:286 +0x36a
sigs.k8s.io/controller-tools/pkg/loader.(*Package).NeedTypesInfo(0xc000390480)
    /go/pkg/mod/sigs.k8s.io/controller-tools@v0.12.1/pkg/loader/loader.go:99 +0x39
sigs.k8s.io/controller-tools/pkg/loader.(*TypeChecker).check(0xc0006b3560, 0xc000390480)
    /go/pkg/mod/sigs.k8s.io/controller-tools@v0.12.1/pkg/loader/refs.go:268 +0x2b7
sigs.k8s.io/controller-tools/pkg/loader.(*TypeChecker).check.func1(0x0?)
    /go/pkg/mod/sigs.k8s.io/controller-tools@v0.12.1/pkg/loader/refs.go:262 +0x53
created by sigs.k8s.io/controller-tools/pkg/loader.(*TypeChecker).check in goroutine 74
    /go/pkg/mod/sigs.k8s.io/controller-tools@v0.12.1/pkg/loader/refs.go:260 +0x1c5
exit status 2
apis/generate.go:45: running "go": exit status 1
make[1]: *** [build/makelib/golang.mk:240: go.generate] Error 1
make: *** [build/makelib/common.mk:434: generate] Error 2
phisco-renovate[bot] commented 3 months ago

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.