Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update module go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin to v0.44.0 [security] #1456

Closed
wants to merge 1 commit into from
Closed

fix(deps): update module go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin to v0.44.0 [security] #1456

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 16, 2023

Mend Renovate

This PR contains the following updates:

Package Type Update Change
go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin require minor v0.42.0 -> v0.44.0

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2023-45142

Summary

OpenTelemetry-Go Contrib has a handler wrapper otelhttp that adds the following labels by deafult that have unbound cardinality:

  • http.user_agent
  • http.method

This leads to the server's potential memory exhaustion when many malicious requests are sent to it.

Details

HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses httpconv.ServerRequest that records every value for HTTP method and User-Agent.

This pull request released with version 0.44.0 dixes this vulnerability The values collected for attribute http.request.method were changed to be restricted to a set of well-known values and other high cardinality attributes were removed.

Impact

In order to be affected program has to use otelhttp.NewHandler wrapper and does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc.

Others

This vulnerability is similar but different from these known vulnerabilities:

Workaround for affected versions

As a workaround, otelhttp.WithFilter() can be used instead, but it requires manual careful configuration to not log certain requests entirely.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate
fix(deps): update module go.opentelemetry.io/contrib/instrumentation/…
4925db6 
…github.com/gin-gonic/gin/otelgin to v0.44.0 [security]

| datasource | package                                                                      | from    | to      |
| ---------- | ---------------------------------------------------------------------------- | ------- | ------- |
| go         | go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin | v0.42.0 | v0.44.0 |


Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate
Copy link
Contributor Author

renovate bot commented Oct 16, 2023

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: core/go.sum
Command failed: docker run --rm --name=renovate_a_sidecar --label=renovate_a_child --memory=3584m -v "/tmp/worker/a77960/d1a844/repos/github/synapsecns/sanguine":"/tmp/worker/a77960/d1a844/repos/github/synapsecns/sanguine" -v "/tmp/worker/a77960/d1a844/cache":"/tmp/worker/a77960/d1a844/cache" -e GOPATH -e GOPROXY -e GOSUMDB -e GOFLAGS -e CGO_ENABLED -e GIT_CONFIG_KEY_0 -e GIT_CONFIG_VALUE_0 -e GIT_CONFIG_KEY_1 -e GIT_CONFIG_VALUE_1 -e GIT_CONFIG_KEY_2 -e GIT_CONFIG_VALUE_2 -e GIT_CONFIG_COUNT -e CONTAINERBASE_CACHE_DIR -w "/tmp/worker/a77960/d1a844/repos/github/synapsecns/sanguine/core" ghcr.io/containerbase/sidecar:9.23.4 bash -l -c "install-tool golang 1.21.3 && go get -d -t ./... && go mod tidy && go mod tidy"
go: downloading github.com/c-bata/go-prompt v0.2.6
go: downloading github.com/ipfs/go-log v1.0.5
go: downloading github.com/pkg/errors v0.9.1
go: downloading github.com/urfave/cli/v2 v2.25.5
go: downloading go.uber.org/zap v1.25.0
go: downloading github.com/go-git/go-git/v5 v5.8.1
go: downloading github.com/integralist/go-findroot v0.0.0-20160518114804-ac90681525dc
go: downloading github.com/shibukawa/configdir v0.0.0-20170330084843-e180dbdc8da0
go: downloading github.com/brianvoe/gofakeit/v6 v6.20.1
go: downloading github.com/stretchr/testify v1.8.4
go: downloading github.com/fatih/structtag v1.2.0
go: downloading github.com/rung/go-safecast v1.0.1
go: downloading gorm.io/gorm v1.25.2-0.20230530020048-26663ab9bf55
go: downloading github.com/Flaque/filet v0.0.0-20201012163910-45f684403088
go: downloading gorm.io/driver/sqlite v1.5.3
go: downloading github.com/ory/dockertest/v3 v3.10.0
go: downloading github.com/danielkov/gin-helmet v0.0.0-20171108135313-1387e224435e
go: downloading github.com/gin-contrib/cors v1.4.0
go: downloading github.com/gin-contrib/requestid v0.0.6
go: downloading github.com/gin-contrib/zap v0.1.0
go: downloading github.com/gin-gonic/gin v1.9.1
go: downloading github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a
go: downloading github.com/google/uuid v1.3.1
go: downloading github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5
go: downloading github.com/temoto/robotstxt v1.1.2
go: downloading github.com/LK4d4/trylock v0.0.0-20191027065348-ff7e133a5c54
go: downloading github.com/ethereum/go-ethereum v1.10.26
go: downloading github.com/ImVexed/fasturl v0.0.0-20230304231329-4e41488060f3
go: downloading github.com/prometheus/client_golang v1.15.1
go: downloading github.com/pyroscope-io/client v0.7.2
go: downloading github.com/pyroscope-io/otel-profiling-go v0.4.0
go: downloading github.com/uptrace/opentelemetry-go-extra/otelgorm v0.1.21
go: downloading go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin v0.44.0
go: downloading go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.42.0
go: downloading go.opentelemetry.io/contrib/propagators/b3 v1.19.0
go: downloading go.opentelemetry.io/otel v1.18.0
go: downloading go.opentelemetry.io/otel/exporters/jaeger v1.14.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.16.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.16.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.16.0
go: downloading go.opentelemetry.io/otel/exporters/prometheus v0.39.0
go: downloading go.opentelemetry.io/otel/metric v1.18.0
go: downloading go.opentelemetry.io/otel/sdk/metric v0.39.0
go: downloading go.opentelemetry.io/otel/sdk v1.16.0
go: downloading go.opentelemetry.io/otel/trace v1.18.0
go: downloading github.com/cheekybits/genny v1.0.0
go: downloading golang.org/x/sync v0.3.0
go: downloading github.com/jpillora/backoff v1.0.0
go: downloading github.com/google/go-cmp v0.5.9
go: downloading k8s.io/apimachinery v0.25.5
go: downloading github.com/Soft/iter v0.1.0
go: downloading github.com/mitchellh/go-homedir v1.1.0
go: downloading golang.ngrok.com/ngrok v1.0.0
go: downloading golang.org/x/crypto v0.13.0
go: downloading github.com/mattn/go-colorable v0.1.13
go: downloading github.com/mattn/go-runewidth v0.0.13
go: downloading github.com/mattn/go-tty v0.0.3
go: downloading golang.org/x/sys v0.12.0
go: downloading github.com/ipfs/go-log/v2 v2.1.3
go: downloading github.com/opentracing/opentracing-go v1.2.0
go: downloading go.uber.org/multierr v1.10.0
go: downloading github.com/cpuguy83/go-md2man/v2 v2.0.2
go: downloading github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673
go: downloading dario.cat/mergo v1.0.0
go: downloading github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95
go: downloading github.com/go-git/go-billy/v5 v5.4.1
go: downloading github.com/sergi/go-diff v1.3.1
go: downloading github.com/davecgh/go-spew v1.1.1
go: downloading github.com/pmezard/go-difflib v1.0.0
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading github.com/jinzhu/now v1.1.5
go: downloading github.com/jinzhu/inflection v1.0.0
go: downloading github.com/spf13/afero v1.9.5
go: downloading github.com/mattn/go-sqlite3 v2.0.3+incompatible
go: downloading github.com/cenkalti/backoff/v4 v4.2.1
go: downloading github.com/Microsoft/go-winio v0.6.1
go: downloading github.com/docker/go-units v0.5.0
go: downloading github.com/gin-contrib/sse v0.1.0
go: downloading github.com/mattn/go-isatty v0.0.19
go: downloading golang.org/x/net v0.15.0
go: downloading github.com/btcsuite/btcd/btcec/v2 v2.3.0
go: downloading github.com/deckarep/golang-set v1.8.0
go: downloading github.com/gorilla/websocket v1.5.0
go: downloading gopkg.in/natefinch/npipe.v2 v2.0.0-20160621034901-c1b8fa8bdcce
go: downloading github.com/prometheus/client_model v0.4.0
go: downloading github.com/prometheus/common v0.42.0
go: downloading github.com/pyroscope-io/godeltaprof v0.1.2
go: downloading github.com/uptrace/opentelemetry-go-extra/otelsql v0.2.2
go: downloading github.com/felixge/httpsnoop v1.0.3
go: downloading github.com/go-logr/logr v1.2.4
go: downloading go.opentelemetry.io/proto/otlp v0.19.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.16.0
go: downloading google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1
go: downloading google.golang.org/grpc v1.55.0
go: downloading github.com/go-logr/stdr v1.2.2
go: downloading google.golang.org/protobuf v1.31.0
go: downloading k8s.io/utils v0.0.0-20221128185143-99ec85e7a448
go: downloading github.com/inconshreveable/log15/v3 v3.0.0-testing.5
go: downloading github.com/inconshreveable/log15 v3.0.0-testing.3+incompatible
go: downloading github.com/pkg/term v1.2.0-beta.2
go: downloading github.com/rivo/uniseg v0.2.0
go: downloading github.com/regen-network/protobuf v1.3.3-alpha.regen.1
go: downloading github.com/russross/blackfriday/v2 v2.1.0
go: downloading github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376
go: downloading github.com/pjbgf/sha1cd v0.3.0
go: downloading github.com/emirpasic/gods v1.18.1
go: downloading github.com/acomagu/bufpipe v1.0.4
go: downloading github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99
go: downloading golang.org/x/text v0.13.0
go: downloading github.com/docker/cli v20.10.17+incompatible
go: downloading golang.org/x/tools v0.9.3
go: downloading github.com/sirupsen/logrus v1.9.0
go: downloading github.com/opencontainers/runc v1.1.5
go: downloading github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5
go: downloading github.com/moby/term v0.0.0-20221205130635-1aeaba878587
go: downloading github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799
go: downloading github.com/go-playground/validator/v10 v10.14.0
go: downloading github.com/pelletier/go-toml/v2 v2.0.8
go: downloading github.com/ugorji/go/codec v1.2.11
go: downloading github.com/bytedance/sonic v1.9.1
go: downloading github.com/goccy/go-json v0.10.2
go: downloading github.com/json-iterator/go v1.1.12
go: downloading github.com/decred/dcrd/dcrec/secp256k1/v4 v4.1.0
go: downloading github.com/go-stack/stack v1.8.1
go: downloading github.com/shirou/gopsutil v3.21.11+incompatible
go: downloading github.com/beorn7/perks v1.0.1
go: downloading github.com/cespare/xxhash/v2 v2.2.0
go: downloading github.com/prometheus/procfs v0.9.0
go: downloading github.com/golang/protobuf v1.5.3
go: downloading github.com/matttproud/golang_protobuf_extensions v1.0.4
go: downloading github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3
go: downloading k8s.io/klog/v2 v2.80.1
go: downloading golang.org/x/term v0.12.0
go: downloading github.com/cloudflare/circl v1.3.3
go: downloading gopkg.in/warnings.v0 v0.1.2
go: downloading github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
go: downloading github.com/kevinburke/ssh_config v1.2.0
go: downloading github.com/skeema/knownhosts v1.2.0
go: downloading github.com/xanzy/ssh-agent v0.3.3
go: downloading github.com/docker/go-connections v0.4.0
go: downloading github.com/docker/docker v20.10.23+incompatible
go: downloading github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
go: downloading github.com/imdario/mergo v0.3.13
go: downloading github.com/mitchellh/mapstructure v1.5.0
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading github.com/containerd/continuity v0.3.0
go: downloading github.com/opencontainers/go-digest v1.0.0
go: downloading github.com/gabriel-vasile/mimetype v1.4.2
go: downloading github.com/go-playground/universal-translator v0.18.1
go: downloading github.com/leodido/go-urn v1.2.4
go: downloading github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
go: downloading github.com/modern-go/reflect2 v1.0.2
go: downloading github.com/tklauser/go-sysconf v0.3.10
go: downloading github.com/yusufpapurcu/wmi v1.2.2
go: downloading github.com/xeipuuv/gojsonschema v1.2.0
go: downloading github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1
go: downloading github.com/go-playground/locales v0.14.1
go: downloading github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311
go: downloading golang.org/x/arch v0.3.0
go: downloading github.com/tklauser/numcpus v0.4.0
go: downloading github.com/go-ole/go-ole v1.2.6
go: downloading github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415
go: downloading golang.org/x/mod v0.10.0
go: downloading github.com/klauspost/cpuid/v2 v2.2.4
go: downloading github.com/twitchyliquid64/golang-asm v0.15.1
go: downloading github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f
go: downloading go.opentelemetry.io v0.1.0
go: downloading go.opentelemetry.io/otel v1.19.0
go: downloading go.opentelemetry.io/otel/exporters/otlp v0.20.1
go: github.com/synapsecns/sanguine/core/metrics imports
	go.opentelemetry.io/otel/exporters/otlp/otlptrace imports
	go.opentelemetry.io/otel/exporters/otlp/internal: cannot find module providing package go.opentelemetry.io/otel/exporters/otlp/internal
go: github.com/synapsecns/sanguine/core/metrics imports
	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc imports
	go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/otlpconfig imports
	go.opentelemetry.io/otel/exporters/otlp/internal/envconfig: cannot find module providing package go.opentelemetry.io/otel/exporters/otlp/internal/envconfig
go: module go.opentelemetry.io/otel/exporters/jaeger is deprecated: This module is no longer supported.
go: warning: github.com/mattn/[email protected]+incompatible: retracted by module author: Accidental; no major changes or features.
go: to switch to the latest unretracted version, run:
	go get github.com/mattn/go-sqlite3@latest

@codecov
Copy link

codecov bot commented Oct 16, 2023
edited
Loading

Codecov Report

All modified lines are covered by tests ✅

Comparison is base (2ee5234) 50.69210% compared to head (4925db6) 50.69210%.

Additional details and impacted files 
@@              Coverage Diff              @@
##              master       #1456   +/-   ##
=============================================
  Coverage   50.69210%   50.69210%           
=============================================
  Files            356         356           
  Lines          24274       24274           
  Branches         267         267           
=============================================
  Hits           12305       12305           
  Misses         10775       10775           
  Partials        1194        1194
Flag Coverage Δ
git-changes-action 53.94265% <ø> (ø)
release-copier-action 19.33333% <ø> (ø)
tools 21.72452% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@trajan0x trajan0x closed this Oct 17, 2023
@trajan0x trajan0x deleted the renovate/core-go-go.opentelemetry.io/contrib/instrumentation/github.com/gin-gonic/gin/otelgin-vulnerability branch October 17, 2023 22:15
@renovate
Copy link
Contributor Author

renovate bot commented Oct 17, 2023
edited
Loading

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (v0.44.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@trajan0x trajan0x Awaiting requested review from trajan0x trajan0x will be requested when the pull request is marked ready for review trajan0x is a code owner

Assignees

@trajan0x trajan0x

Labels
dependencies needs-go-generate-contrib/git-changes-action needs-go-generate-core size/xs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@trajan0x