From 4ec058a76aea274ee995bb8e8892f19b9b83fa39 Mon Sep 17 00:00:00 2001 From: Mostyn Bramley-Moore Date: Thu, 6 Jun 2024 15:03:39 +0200 Subject: [PATCH] Upgrade github.com/mostynb/go-grpc-compression to avoid decompression bomb DoS https://github.com/mostynb/go-grpc-compression/pull/27 --- go.mod | 6 +++--- go.sum | 12 +++++------ utils/grpcreadclient/grpcreadclient.go | 29 +++++++------------------- 3 files changed, 17 insertions(+), 30 deletions(-) diff --git a/go.mod b/go.mod index d6e7efe56..304c99704 100644 --- a/go.mod +++ b/go.mod @@ -10,7 +10,7 @@ require ( github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 github.com/klauspost/compress v1.17.8 github.com/minio/minio-go/v7 v7.0.69 - github.com/mostynb/go-grpc-compression v1.2.2 + github.com/mostynb/go-grpc-compression v1.2.3 github.com/mostynb/zstdpool-syncpool v0.0.13 github.com/prometheus/client_golang v1.19.0 github.com/prometheus/client_model v0.6.1 // indirect @@ -20,8 +20,8 @@ require ( golang.org/x/sync v0.7.0 golang.org/x/sys v0.19.0 // indirect google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda - google.golang.org/grpc v1.63.2 - google.golang.org/protobuf v1.33.0 + google.golang.org/grpc v1.64.0 + google.golang.org/protobuf v1.34.1 gopkg.in/yaml.v3 v3.0.1 ) diff --git a/go.sum b/go.sum index 452476972..015b0b220 100644 --- a/go.sum +++ b/go.sum @@ -76,8 +76,8 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= -github.com/mostynb/go-grpc-compression v1.2.2 h1:XaDbnRvt2+1vgr0b/l0qh4mJAfIxE0bKXtz2Znl3GGI= -github.com/mostynb/go-grpc-compression v1.2.2/go.mod h1:GOCr2KBxXcblCuczg3YdLQlcin1/NfyDA348ckuCH6w= +github.com/mostynb/go-grpc-compression v1.2.3 h1:42/BKWMy0KEJGSdWvzqIyOZ95YcR9mLPqKctH7Uo//I= +github.com/mostynb/go-grpc-compression v1.2.3/go.mod h1:AghIxF3P57umzqM9yz795+y1Vjs47Km/Y2FE6ouQ7Lg= github.com/mostynb/zstdpool-syncpool v0.0.13 h1:AIzAvQ9hNum4Fh5jYXyfZTd2aDi1leq7grKDkVZX4+s= github.com/mostynb/zstdpool-syncpool v0.0.13/go.mod h1:pbt8qOdq6wX5jrUsRI9UmBvAnjToEgVQC3H1pwJwktM= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= @@ -183,10 +183,10 @@ google.golang.org/genproto/googleapis/bytestream v0.0.0-20240401170217-c3f982113 google.golang.org/genproto/googleapis/bytestream v0.0.0-20240401170217-c3f982113cda/go.mod h1:IN9OQUXZ0xT+26MDwZL8fJcYw+y99b0eYPA2U15Jt8o= google.golang.org/genproto/googleapis/rpc v0.0.0-20240401170217-c3f982113cda h1:LI5DOvAxUPMv/50agcLLoo+AdWc1irS9Rzz4vPuD1V4= google.golang.org/genproto/googleapis/rpc v0.0.0-20240401170217-c3f982113cda/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY= -google.golang.org/grpc v1.63.2 h1:MUeiw1B2maTVZthpU5xvASfTh3LDbxHd6IJ6QQVU+xM= -google.golang.org/grpc v1.63.2/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDomNkRA= -google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= -google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/grpc v1.64.0 h1:KH3VH9y/MgNQg1dE7b3XfVK0GsPSIzJwdF617gUSbvY= +google.golang.org/grpc v1.64.0/go.mod h1:oxjF8E3FBnjp+/gVFYdWacaLDx9na1aqy9oovLpxQYg= +google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg= +google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= diff --git a/utils/grpcreadclient/grpcreadclient.go b/utils/grpcreadclient/grpcreadclient.go index 8e4f2847c..708290855 100644 --- a/utils/grpcreadclient/grpcreadclient.go +++ b/utils/grpcreadclient/grpcreadclient.go @@ -108,9 +108,9 @@ func main() { } } -func dial(serverAddr string, caCertFile string, clientCertFile string, clientKeyFile string, basicAuthUser string, basicAuthPass string) (*grpc.ClientConn, error, context.Context, context.CancelFunc) { +func dial(serverAddr string, caCertFile string, clientCertFile string, clientKeyFile string, basicAuthUser string, basicAuthPass string) (*grpc.ClientConn, error) { - dialOpts := []grpc.DialOption{grpc.WithBlock()} + dialOpts := []grpc.DialOption{} if basicAuthUser != "" { authority := fmt.Sprintf("%s:%s@%s", basicAuthUser, basicAuthPass, serverAddr) @@ -126,12 +126,12 @@ func dial(serverAddr string, caCertFile string, clientCertFile string, clientKey caCertData, err := os.ReadFile(caCertFile) if err != nil { return nil, fmt.Errorf("Failed to read CA cert file %q: %w", - caCertFile, err), nil, nil + caCertFile, err) } pool := x509.NewCertPool() if !pool.AppendCertsFromPEM(caCertData) { - return nil, fmt.Errorf("Failed to create CA certificate pool"), nil, nil + return nil, fmt.Errorf("Failed to create CA certificate pool") } tlsCfg := &tls.Config{RootCAs: pool} @@ -140,7 +140,7 @@ func dial(serverAddr string, caCertFile string, clientCertFile string, clientKey clientCert, err := tls.LoadX509KeyPair(clientCertFile, clientKeyFile) if err != nil { return nil, fmt.Errorf("Failed to read client cert file %q (key file %q): %w", - clientCertFile, clientKeyFile, err), nil, nil + clientCertFile, clientKeyFile, err) } tlsCfg.Certificates = []tls.Certificate{clientCert} @@ -153,29 +153,16 @@ func dial(serverAddr string, caCertFile string, clientCertFile string, clientKey fmt.Println("Dialing...", serverAddr) - ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) - conn, err := grpc.DialContext(ctx, serverAddr, dialOpts...) - return conn, err, ctx, cancel + conn, err := grpc.NewClient(serverAddr, dialOpts...) + return conn, err } func run(serverAddr string, readsShouldWork bool, writesShouldWork bool, clientCertFile string, clientKeyFile string, caCertFile string, basicAuthUser string, basicAuthPass string) error { - conn, err, ctx, cancel := dial(serverAddr, caCertFile, clientCertFile, clientKeyFile, basicAuthUser, basicAuthPass) + conn, err := dial(serverAddr, caCertFile, clientCertFile, clientKeyFile, basicAuthUser, basicAuthPass) if conn != nil { defer conn.Close() } - defer cancel() - - select { - case <-ctx.Done(): - if !readsShouldWork && !writesShouldWork { - fmt.Println("Gave up dialing, as expected:", ctx.Err()) - return nil - } - - return fmt.Errorf("Failed to connect to %q: %w", serverAddr, ctx.Err()) - default: - } if err != nil || conn == nil { return fmt.Errorf("Failed to connect %q: %w", serverAddr, err)