resolve CVE-2020-27813, investigate CVE-2020-26160

follow-up #639, gruntwork-io/terratest#1006 During the time of disuse, the projects have already migrated to [golang-jwt/jwt](https://github.com/golang-jwt/jwt/blob/main/MIGRATION_GUIDE.md), which is a continuation of [github.com/dgrijalva/jwt-go](github.com/dgrijalva/jwt-go). `github.com/gruntwork-io/[email protected]` uses the unsupported jwt-token in two paths: ``` github.com/gruntwork-io/[email protected]> k8s.io/[email protected] -> github.com/Azure/go-autorest/autorest/adal v0.8.2 -> ... github.com/dgrijalva/[email protected] ``` The `replace github.com/Azure/go-autorest/autorest/adal => github.com/Azure/go-autorest/autorest/adal v0.9.16` rule fixed it. (this path is on v0.32.17 but not much different from v0.37.12) ``` github.com/gruntwork-io/[email protected] -> github.com/google/[email protected] -> github.com/vdemeester/[email protected] -> k8s.io/legacy-cloud-providers -> k8s.io/apiserver -> go.etcd.io/[email protected] -> github.com/dgrijalva/[email protected] ``` The `replace github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0` rule fixed it. `github.com/gruntwork-io/[email protected]` uses `github.com/google/[email protected]` which links unpatched old version of `github.com/containerd/containerd`. If I override go-containerregistry `github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0` then it generates this: ``` github.com/containerd/containerd v1.2.10/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.3.0-beta.2.0.20190828155532-0293cbd26c69/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.3.1-0.20191213020239-082f7e3aed57/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.3.2/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.4.0-beta.2.0.20200729163537-40b22ef07410/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.4.1/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.4.3/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.5.0-beta.1/go.mod h1:5HfvG1V2FsKesEGQ17k5/T7V960Tmcumvqn8Mc+pCYQ= github.com/containerd/containerd v1.5.0-beta.3/go.mod h1:/wr9AVtEM7x9c+n0+stptlo/uBBoBORwEx6ardVcmKU= github.com/containerd/containerd v1.5.0-beta.4/go.mod h1:GmdgZd2zA2GYIBZ0w09ZvgqEq8EfBp/m3lcVZIvPHhI= github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s= github.com/containerd/containerd v1.5.2/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g= ``` But >= v1.4.1 are patched. These rules will fix it ``` replace github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0` replace github.com/containerd/containerd => github.com/containerd/containerd v1.5.2 ``` `github.com/gorilla/websocket` is resolved with the two steps mentioned above The problem is we replace packages on the go.sum level but no in go.mod. That's why jwt-go is still downloaded. We must exclude it. The final solution looks like this and works well if the assumption that my tests are not dependent on older versions of containerd and azure is met. ```go replace ( // CVE-2020-26160 (GHSA-w73w-5m7g-f7qc) github.com/Azure/go-autorest/autorest/adal => github.com/Azure/go-autorest/autorest/adal v0.9.16 // CVE-2021-41103 (GHSA-c2h3-6mxw-7mvq) // CVE-2020-27813 (GHSA-3xh2-74w9-5vxm) // CVE-2020-26160 (GHSA-w73w-5m7g-f7qc) github.com/containerd/containerd => github.com/containerd/containerd v1.5.2 github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0 ) exclude github.com/dgrijalva/jwt-go v3.2.0+incompatible ``` Signed-off-by: kuritka <[email protected]>
k8gb-io · Oct 6, 2021 · 508b4fe · 508b4fe
1 parent 91ede3d
commit 508b4fe
Show file tree

Hide file tree

Showing 3 changed files with 512 additions and 367 deletions.
diff --git a/go.sum b/go.sum
@@ -567,7 +567,6 @@ github.com/lightstep/lightstep-tracer-go v0.18.1/go.mod h1:jlF1pusYV4pidLvZ+XD0U
 github.com/linki/instrumented_http v0.2.0/go.mod h1:pjYbItoegfuVi2GUOMhEqzvm/SJKuEL3H0tc8QRLRFk=
 github.com/linode/linodego v0.19.0/go.mod h1:XOWXRHjqeU2uPS84tKLgfWIfTlv3TYzCS0io4GOQzEI=
 github.com/lithammer/dedent v1.1.0/go.mod h1:jrXYCQtgg0nJiN+StA2KgR7w6CiQNv9Fd/Z9BP0jIOc=
-github.com/lixiangzhong/dnsutil v0.0.0-20191203032812-75ad39d2945a h1:/yAdTRA3/jQoGjC+LrnEIb4PS0/E+Bhb0nZtn1Lc1wA=
 github.com/lixiangzhong/dnsutil v0.0.0-20191203032812-75ad39d2945a/go.mod h1:lznJf63BpaQUI5MnVQkV6X57CTTgnB8OZV3U4omV3BI=
 github.com/lyft/protoc-gen-star v0.4.10/go.mod h1:mE8fbna26u7aEA2QCVvvfBU/ZrPgocG1206xAFPcs94=
 github.com/lyft/protoc-gen-validate v0.0.13/go.mod h1:XbGvPuh87YZc5TdIa2/I4pLk0QoUACkjt2znoq26NVQ=

diff --git a/terratest/go.mod b/terratest/go.mod
@@ -4,12 +4,20 @@ go 1.16
 
 require (
 	github.com/AbsaOSS/gopkg v0.1.2
-	github.com/gruntwork-io/terratest v0.32.17
+	github.com/gruntwork-io/terratest v0.37.12
 	github.com/stretchr/testify v1.7.0
-	gopkg.in/yaml.v2 v2.2.8 // indirect
-	k8s.io/api v0.20.5
-	k8s.io/apimachinery v0.20.5
-	k8s.io/client-go v0.20.5 // indirect
+	gopkg.in/yaml.v2 v2.4.0
+	k8s.io/api v0.20.6
+	k8s.io/apimachinery v0.20.6
 )
 
-replace github.com/containerd/containerd v1.3.0 => github.com/containerd/containerd v1.4.11
+// CVE-2021-41103 (https://github.com/advisories/GHSA-c2h3-6mxw-7mvq)
+// CVE-2020-27813 (https://github.com/advisories/GHSA-3xh2-74w9-5vxm)
+// CVE-2020-26160 (https://github.com/advisories/GHSA-w73w-5m7g-f7qc)
+replace (
+	github.com/Azure/go-autorest/autorest/adal => github.com/Azure/go-autorest/autorest/adal v0.9.16
+	github.com/containerd/containerd => github.com/containerd/containerd v1.5.7
+	github.com/google/go-containerregistry => github.com/google/go-containerregistry v0.6.0
+)
+
+exclude github.com/dgrijalva/jwt-go v3.2.0+incompatible