From d8de004a1758daa280d7c49c8274b10fecd8ab1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?= Date: Thu, 4 Apr 2024 17:42:49 -0300 Subject: [PATCH] - Updated to Go 1.21.9 to address CVE-2023-45288 - Limit the preallocation of memory when making paginated requests to the ListEntries and ListAgents RPCs - Bump to v1.9.3 - Update CHANGELOG MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Agustín Martínez Fayó --- .github/workflows/pr_build.yaml | 2 +- .github/workflows/release_build.yaml | 2 +- .go-version | 2 +- CHANGELOG.md | 14 +++++++++ pkg/common/version/version.go | 2 +- pkg/server/datastore/sqlstore/migration.go | 6 ++++ pkg/server/datastore/sqlstore/sqlstore.go | 32 ++++++++++---------- test/integration/suites/upgrade/versions.txt | 2 ++ 8 files changed, 42 insertions(+), 20 deletions(-) diff --git a/.github/workflows/pr_build.yaml b/.github/workflows/pr_build.yaml index 4c534dbda3..df590422a3 100644 --- a/.github/workflows/pr_build.yaml +++ b/.github/workflows/pr_build.yaml @@ -3,7 +3,7 @@ on: pull_request: {} workflow_dispatch: {} env: - GO_VERSION: 1.21.8 + GO_VERSION: 1.21.9 permissions: contents: read diff --git a/.github/workflows/release_build.yaml b/.github/workflows/release_build.yaml index 716a1a4a88..1100d2cf4f 100644 --- a/.github/workflows/release_build.yaml +++ b/.github/workflows/release_build.yaml @@ -4,7 +4,7 @@ on: tags: - 'v[0-9].[0-9]+.[0-9]+' env: - GO_VERSION: 1.21.8 + GO_VERSION: 1.21.9 jobs: cache-deps: name: cache-deps (linux) diff --git a/.go-version b/.go-version index 428abfd24f..f124bfa155 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.21.8 +1.21.9 diff --git a/CHANGELOG.md b/CHANGELOG.md index d18c7940b8..5af74028ec 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,12 @@ # Changelog +## [1.9.3] - 2024-04-03 + +### Security + +- Updated to Go 1.21.9 to address CVE-2023-45288 +- Limit the preallocation of memory when making paginated requests to the ListEntries and ListAgents RPCs + ## [1.9.2] - 2024-03-25 ### Added @@ -52,6 +59,13 @@ - X509-SVIDs issued by the server no longer have the x509UniqueIdentifier attribute as part of the subject (#4862) +## [1.8.9] - 2024-04-03 + +### Security + +- Updated to Go 1.21.9 to address CVE-2023-45288 +- Limit the preallocation of memory when making paginated requests to the ListEntries and ListAgents RPCs + ## [1.8.8] - 2024-03-05 ### Security diff --git a/pkg/common/version/version.go b/pkg/common/version/version.go index cf59e21c1f..d00f272fff 100644 --- a/pkg/common/version/version.go +++ b/pkg/common/version/version.go @@ -8,7 +8,7 @@ const ( // IMPORTANT: When updating, make sure to reconcile the versions list that // is part of the upgrade integration test. See // test/integration/suites/upgrade/README.md for details. - Base = "1.9.2" + Base = "1.9.3" ) var ( diff --git a/pkg/server/datastore/sqlstore/migration.go b/pkg/server/datastore/sqlstore/migration.go index 10f29aa50a..a2fe473ff0 100644 --- a/pkg/server/datastore/sqlstore/migration.go +++ b/pkg/server/datastore/sqlstore/migration.go @@ -216,10 +216,16 @@ import ( // | v1.8.7 | | | // |---------| | | // | v1.8.8 | | | +// |---------| | | +// | v1.8.9 | | | // |*********|********|***************************************************************************| // | v1.9.0 | | | // |---------| | | // | v1.9.1 | | | +// |---------| | | +// | v1.9.2 | | | +// |---------| | | +// | v1.9.3 | | | // ================================================================================================ const ( diff --git a/pkg/server/datastore/sqlstore/sqlstore.go b/pkg/server/datastore/sqlstore/sqlstore.go index 5cb6ef3b46..12fff70d09 100644 --- a/pkg/server/datastore/sqlstore/sqlstore.go +++ b/pkg/server/datastore/sqlstore/sqlstore.go @@ -64,6 +64,9 @@ const ( // PostgreSQL database type provided by an AWS service AWSPostgreSQL = "aws_postgres" + + // Maximum size for preallocation in a paginated request + maxResultPreallocation = 1000 ) // Configuration for the sql datastore implementation. @@ -1691,13 +1694,7 @@ func listAttestedNodesOnce(ctx context.Context, db *sqlDB, req *datastore.ListAt } defer rows.Close() - var nodes []*common.AttestedNode - if req.Pagination != nil { - nodes = make([]*common.AttestedNode, 0, req.Pagination.PageSize) - } else { - nodes = make([]*common.AttestedNode, 0, 64) - } - + nodes := make([]*common.AttestedNode, 0, calculateResultPreallocation(req.Pagination)) pushNode := func(node *common.AttestedNode) { if node != nil && node.SpiffeId != "" { nodes = append(nodes, node) @@ -2758,15 +2755,7 @@ func listRegistrationEntriesOnce(ctx context.Context, db queryContext, databaseT } defer rows.Close() - var entries []*common.RegistrationEntry - if req.Pagination != nil { - entries = make([]*common.RegistrationEntry, 0, req.Pagination.PageSize) - } else { - // start the slice off with a little capacity to avoid the first few - // reallocations - entries = make([]*common.RegistrationEntry, 0, 64) - } - + entries := make([]*common.RegistrationEntry, 0, calculateResultPreallocation(req.Pagination)) pushEntry := func(entry *common.RegistrationEntry) { // Due to previous bugs (i.e. #1191), there can be cruft rows related // to a deleted registration entries that are fetched with the list @@ -4645,3 +4634,14 @@ func isPostgresDbType(dbType string) bool { func isSQLiteDbType(dbType string) bool { return dbType == SQLite } + +func calculateResultPreallocation(pagination *datastore.Pagination) int32 { + switch { + case pagination == nil: + return 64 + case pagination.PageSize < maxResultPreallocation: + return pagination.PageSize + default: + return maxResultPreallocation + } +} diff --git a/test/integration/suites/upgrade/versions.txt b/test/integration/suites/upgrade/versions.txt index cf13c8a877..bd40db6961 100644 --- a/test/integration/suites/upgrade/versions.txt +++ b/test/integration/suites/upgrade/versions.txt @@ -7,5 +7,7 @@ 1.8.6 1.8.7 1.8.8 +1.8.9 1.9.0 1.9.1 +1.9.2