Client should verify response content-type #679
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
emcfarlane
reviewed
Feb 7, 2024
| @@ -511,6 +511,21 @@ func (cc *connectUnaryClientConn) validateResponse(response *http.Response) *Err | |||
| } | |||
| cc.responseTrailer[strings.TrimPrefix(k, connectUnaryTrailerPrefix)] = v | |||
| } | |||
| err := connectValidateUnaryResponseContentType( | |||
There was a problem hiding this comment.
Could this be moved into the validate response function?
There was a problem hiding this comment.
It is. Do you mean inlined? I had made it a separate function to make it easier to test.
There was a problem hiding this comment.
Sorry misread, thought the method on the duplexcall was due to it not being part of this function, but thats for the request params.
emcfarlane
approved these changes
Feb 7, 2024
akshayjshah
approved these changes
Feb 8, 2024
| response.Status, | ||
| getHeaderCanonical(response.Header, headerContentType), | ||
| ) | ||
| if err != nil { |
There was a problem hiding this comment.
Can we scope err to the if block? It's visually a little ugly, but the functions in this portion of the code are long enough that I'd love to minimize scope where possible. Same below.
There was a problem hiding this comment.
I had not done so just because I find it a bit hard to read when the if keyword is far from the actual condition. But if that's accepted style, and even preferred in this case, I'll change it.
jhump
added a commit
that referenced
this pull request
Feb 8, 2024
This also formats the grpc version of the check so it is consistent with the other two. Addresses comment in prior PR: #679 (comment)
Merged
simonswine
added a commit
to simonswine/pyroscope
that referenced
this pull request
Jun 19, 2024
The query-frontend accidentally leaked content-type and content-encoding information from the underlying connectgrpc implementation, which is used to schedule queries on to the workers (queriers). This will filter those out, so they won't be passed on through the frontend. This could be observed by errors like this: ``` $ profilecli query series level=info msg="query series from querier" url=http://localhost:8080 from=2024-06-18T15:46:19.932471+01:00 to=2024-06-18T16:46:19.932472+01:00 labelNames=[] error: failed to query: unknown: invalid content-type: "application/grpc,application/proto"; expecting "application/grpc" exit status 1 ``` Which themselves were produced only because envoy (involved on our GC ingress), converted headers from this: ``` content-type: application/grpc content-type: application/proto ``` to ``` content-type: application/grpc,application/proto ``` This then triggered a validation recently added to connect-go: connectrpc/connect-go#679
simonswine
added a commit
to simonswine/pyroscope
that referenced
this pull request
Jun 19, 2024
The query-frontend accidentally leaked content-type and content-encoding information from the underlying connectgrpc implementation, which is used to schedule queries on to the workers (queriers). This will filter those out, so they won't be passed on through the frontend. This could be observed by errors like this: ``` $ profilecli query series level=info msg="query series from querier" url=http://localhost:8080 from=2024-06-18T15:46:19.932471+01:00 to=2024-06-18T16:46:19.932472+01:00 labelNames=[] error: failed to query: unknown: invalid content-type: "application/grpc,application/proto"; expecting "application/grpc" exit status 1 ``` Which themselves were produced only because envoy (involved on our GC ingress), converted headers from this: ``` content-type: application/grpc content-type: application/proto ``` to ``` content-type: application/grpc,application/proto ``` This then triggered a validation recently added to connect-go: connectrpc/connect-go#679
simonswine
added a commit
to grafana/pyroscope
that referenced
this pull request
Jun 19, 2024
The query-frontend accidentally leaked content-type and content-encoding information from the underlying connectgrpc implementation, which is used to schedule queries on to the workers (queriers). This will filter those out, so they won't be passed on through the frontend. This could be observed by errors like this: ``` $ profilecli query series level=info msg="query series from querier" url=http://localhost:8080 from=2024-06-18T15:46:19.932471+01:00 to=2024-06-18T16:46:19.932472+01:00 labelNames=[] error: failed to query: unknown: invalid content-type: "application/grpc,application/proto"; expecting "application/grpc" exit status 1 ``` Which themselves were produced only because envoy (involved on our GC ingress), converted headers from this: ``` content-type: application/grpc content-type: application/proto ``` to ``` content-type: application/grpc,application/proto ``` This then triggered a validation recently added to connect-go: connectrpc/connect-go#679
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
@smaye81 found some more bugs with new conformance test cases.
The client is not verifying that the response has the correct content-type. So this change adds that verification.
Some tests, that had simple handlers that weren't setting a valid content-type, had to be updated. Sorry for the large diff stats, but it's not as bad as it looks. This PR adds three new table-driven tests that account for 75% of the lines of code.