Project

General

Profile

Actions

Bug #18491

closed

Address jwt-go's security advisory

Added by Lucas Di Pentima over 2 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
API
Target version:
Story points:
-
Release relationship:
Auto

Description

One of controller's dependencies requires an upgrade because of security issues.

https://github.com/advisories/GHSA-w73w-5m7g-f7qc

The project seems to have been taken over by a new maintainer team at: https://github.com/golang-jwt/jwt


Subtasks 1 (0 open1 closed)

Task #18493: Review 18491-jwt-go-upgradeResolvedLucas Di Pentima11/30/2021Actions
Actions #1

Updated by Lucas Di Pentima over 2 years ago

By using go mod graph I was able to see which dependency asked for this module:

lucas@buster:~/arvados$ go mod graph | grep jwt
github.com/Azure/go-autorest/autorest/adal@v0.9.0 github.com/dgrijalva/jwt-go@v3.2.0+incompatible
github.com/Azure/go-autorest/autorest/adal@v0.9.2 github.com/dgrijalva/jwt-go@v3.2.0+incompatible
lucas@buster:~/arvados$ go mod graph | grep adal@
[...]
github.com/Azure/go-autorest/autorest@v0.11.0 github.com/Azure/go-autorest/autorest/adal@v0.9.0
[...]
github.com/Azure/go-autorest/autorest/azure/cli@v0.4.0 github.com/Azure/go-autorest/autorest/adal@v0.9.0
github.com/Azure/go-autorest/autorest/azure/auth@v0.5.1 github.com/Azure/go-autorest/autorest/adal@v0.9.2
github.com/Azure/go-autorest/autorest@v0.11.3 github.com/Azure/go-autorest/autorest/adal@v0.9.0
lucas@buster:~/arvados$ go mod graph | grep azure/cli
[...]
github.com/Azure/go-autorest/autorest/azure/auth@v0.5.1 github.com/Azure/go-autorest/autorest/azure/cli@v0.4.0
lucas@buster:~/arvados$ go mod graph | grep azure/auth
git.arvados.org/arvados.git github.com/Azure/go-autorest/autorest/azure/auth@v0.5.1
[...]

It seems that github.com/Azure/go-autorest/autorest/azure/auth@v0.5.1 is the root of this requirement chain, I'll attempting an upgrade on it.

Actions #2

Updated by Lucas Di Pentima over 2 years ago

Updates at d69ebd24d - branch 18491-jwt-go-upgrade
Test run: developer-run-tests: #2818

  • Upgrades github.com/Azure/go-autorest/autorest/azure/auth to v.0.5.9 and all its dependencies.
  • Removes unused modules (including github.com/dgrijalva/jwt-go) by running: go mod tidy
Actions #3

Updated by Lucas Di Pentima over 2 years ago

I'm getting the following test failure and I'm not sure why:

16:32:26 ----------------------------------------------------------------------
16:32:26 FAIL: container_gateway_test.go:189: ContainerGatewaySuite.TestConnect
16:32:26 
16:32:26 connecting to localhost:37559
16:32:26 container_gateway_test.go:213:
16:32:26     c.Check(buf[:4], check.DeepEquals, []byte{0, 0, 1, 0xfc})
16:32:26 ... obtained []uint8 = []byte{0x0, 0x0, 0x2, 0xc}
16:32:26 ... expected []uint8 = []byte{0x0, 0x0, 0x1, 0xfc}
Actions #4

Updated by Tom Clegg over 2 years ago

IIRC when I wrote that test I didn't know what the bytes meant, they just seemed to be equal each time. Now that I bother to look at RFC4253 it seems they're just the length of a data packet, so not worth testing. I think we can just delete that check. The previous line already checks that we can read 4 bytes after sending our banner, which seems good enough for this test's purposes.

Actions #5

Updated by Lucas Di Pentima over 2 years ago

Thanks for the explanation!

I've updated the test at bc3637c90
Test run: developer-run-tests: #2822

Actions #6

Updated by Tom Clegg over 2 years ago

LGTM, thanks!

Actions #7

Updated by Lucas Di Pentima over 2 years ago

  • Status changed from In Progress to Resolved

Applied in changeset arvados-private:commit:arvados|e163d0f19b52b4c15adb3d97f49bcacdbaf8dc89.

Actions #8

Updated by Lucas Di Pentima over 2 years ago

To re-do this on the 2.3-dev branch, run the following:

$ go get -u github.com/Azure/go-autorest/autorest/azure/auth
$ go mod tidy

then, fix a test by removing the check from line 213 at file lib/controller/localdb/container_gateway_test.go

Actions

Also available in: Atom PDF