Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: upload-artifact@v4 breake in release and RUSTSEC-2024-0003 #1541

Merged
merged 2 commits into from
Jan 18, 2024
Merged

fix: upload-artifact@v4 breake in release and RUSTSEC-2024-0003 #1541

merged 2 commits into from
Jan 18, 2024

Conversation

Desiki-high
Copy link
Member

@Desiki-high Desiki-high commented Jan 18, 2024
edited
Loading

Relevant Issue (if applicable)

https://github.com/dragonflyoss/nydus/actions/runs/7562390653

Error:
Failed to CreateArtifact: Received non-retryable error: Failed request: (409) Conflict: an artifact with this name already exists on the workflow run

https://github.com/dragonflyoss/nydus/actions/runs/7564593915/job/20599129930

 /github/workspace/Cargo.lock:74:1
   │
74 │ h2 0.3.18 registry+https://github.com/rust-lang/crates.io-index
   │ --------------------------------------------------------------- security vulnerability detected
   │
   = ID: RUSTSEC-2024-0003
   = Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0003
   = An attacker with an HTTP/2 connection to an affected endpoint can send a steady stream of invalid frames to force the
     generation of reset frames on the victim endpoint.
     By closing their recv window, the attacker could then force these resets to be queued in an unbounded fashion,
     resulting in Out Of Memory (OOM) and high CPU usage.

Details

  1. fix error in release upload action [bug] (v4) Unable to upload to same artifact name from multiple jobs actions/upload-artifact#478 (comment)
  2. fix RUSTSEC-2024-0003 streams: limit error resets for misbehaving connections hyperium/h2#737

Types of changes

What types of changes does your PullRequest introduce? Put an x in all the boxes that apply:

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation Update (if none of the other choices apply)

Checklist

Go over all the following points, and put an x in all the boxes that apply.

  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.

@Desiki-high
fix: upload-artifact@v4 breake in release
ebd45e3 
Error:
Failed to CreateArtifact: Received non-retryable error: Failed request: (409) Conflict: an artifact with this name already exists on the workflow run

Signed-off-by: Yadong Ding <ding_yadong@foxmail.com>
@Desiki-high Desiki-high requested a review from a team as a code owner January 18, 2024 02:38
@Desiki-high Desiki-high requested review from liubogithub, imeoer and gaius-qi and removed request for a team January 18, 2024 02:38
@codecov Codecov
Copy link

codecov bot commented Jan 18, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (a3922b8) 61.39% compared to head (05ccdec) 61.35%.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1541      +/-   ##
==========================================
- Coverage   61.39%   61.35%   -0.05%     
==========================================
  Files         144      144              
  Lines       46962    46962              
  Branches    44498    44498              
==========================================
- Hits        28833    28812      -21     
- Misses      16646    16665      +19     
- Partials     1483     1485       +2

see 5 files with indirect coverage changes

@Desiki-high
fix: upgrade h2 to 0.3.24 to fix RUSTSEC-2024-0003
05ccdec 
ID: RUSTSEC-2024-0003
Advisory: https://rustsec.org/advisories/RUSTSEC-2024-0003
An attacker with an HTTP/2 connection to an affected endpoint can send a steady stream of invalid frames to force the
generation of reset frames on the victim endpoint.
By closing their recv window, the attacker could then force these resets to be queued in an unbounded fashion,
resulting in Out Of Memory (OOM) and high CPU usage.

This fix is corrected in [hyperium/h2#737](hyperium/h2#737), which limits the total number of
internal error resets emitted by default before the connection is closed.

Signed-off-by: Yadong Ding <ding_yadong@foxmail.com>
@Desiki-high Desiki-high requested a review from a team as a code owner January 18, 2024 02:58
@Desiki-high Desiki-high requested review from hsiangkao and removed request for a team January 18, 2024 02:58
@Desiki-high Desiki-high changed the title fix: upload-artifact@v4 breake in release fix: upload-artifact@v4 breake in release and RUSTSEC-2024-0003 Jan 18, 2024
adamqqqplay
adamqqqplay approved these changes Jan 18, 2024
View reviewed changes
Copy link
Member

@adamqqqplay adamqqqplay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your work!

@imeoer imeoer merged commit 5f26f8e into dragonflyoss:master Jan 18, 2024
22 checks passed
@Desiki-high Desiki-high mentioned this pull request Jan 19, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@imeoer imeoer imeoer approved these changes

@adamqqqplay adamqqqplay adamqqqplay approved these changes

@liubogithub liubogithub Awaiting requested review from liubogithub liubogithub is a code owner automatically assigned from dragonflyoss/nydus-maintainers

@gaius-qi gaius-qi Awaiting requested review from gaius-qi gaius-qi is a code owner automatically assigned from dragonflyoss/nydus-maintainers

@hsiangkao hsiangkao Awaiting requested review from hsiangkao hsiangkao is a code owner automatically assigned from dragonflyoss/nydus-reviewers

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Desiki-high @imeoer @adamqqqplay