Merge branch 'main' into get-node-selectors-fix

spiffe · Apr 5, 2024 · 0c86c8d · 0c86c8d
2 parents 2b3e69e + fb50a1a
commit 0c86c8d
Show file tree

Hide file tree

Showing 11 changed files with 47 additions and 24 deletions.
diff --git a/.github/workflows/pr_build.yaml b/.github/workflows/pr_build.yaml
@@ -6,7 +6,7 @@ on:
     types:
       - checks_requested
 env:
-  GO_VERSION: 1.22.1
+  GO_VERSION: 1.22.2
 permissions:
   contents: read
 

diff --git a/.github/workflows/release_build.yaml b/.github/workflows/release_build.yaml
@@ -4,7 +4,7 @@ on:
     tags:
       - 'v[0-9].[0-9]+.[0-9]+'
 env:
-  GO_VERSION: 1.22.1
+  GO_VERSION: 1.22.2
 jobs:
   cache-deps:
     name: cache-deps (linux)

diff --git a/.go-version b/.go-version
@@ -1 +1 @@
-1.22.1
+1.22.2
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,12 @@
 # Changelog
 
+## [1.9.3] - 2024-04-03
+
+### Security
+
+- Updated to Go 1.21.9 to address CVE-2023-45288
+- Limit the preallocation of memory when making paginated requests to the ListEntries and ListAgents RPCs
+
 ## [1.9.2] - 2024-03-25
 
 ### Added
@@ -52,6 +59,13 @@
 
 - X509-SVIDs issued by the server no longer have the x509UniqueIdentifier attribute as part of the subject (#4862)
 
+## [1.8.9] - 2024-04-03
+
+### Security
+
+- Updated to Go 1.21.9 to address CVE-2023-45288
+- Limit the preallocation of memory when making paginated requests to the ListEntries and ListAgents RPCs
+
 ## [1.8.8] - 2024-03-05
 
 ### Security

diff --git a/go.mod b/go.mod
@@ -32,7 +32,7 @@ require (
 	github.com/aws/smithy-go v1.20.1
 	github.com/blang/semver/v4 v4.0.0
 	github.com/cenkalti/backoff/v4 v4.3.0
-	github.com/docker/docker v25.0.4+incompatible
+	github.com/docker/docker v26.0.0+incompatible
 	github.com/envoyproxy/go-control-plane v0.12.0
 	github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa
 	github.com/go-jose/go-jose/v3 v3.0.3
@@ -254,6 +254,7 @@ require (
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/mozillazg/docker-credential-acr-helper v0.3.0 // indirect

diff --git a/go.sum b/go.sum
@@ -714,8 +714,8 @@ github.com/docker/cli v24.0.7+incompatible h1:wa/nIwYFW7BVTGa7SWPVyyXU9lgORqUb1x
 github.com/docker/cli v24.0.7+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v25.0.4+incompatible h1:XITZTrq+52tZyZxUOtFIahUf3aH367FLxJzt9vZeAF8=
-github.com/docker/docker v25.0.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v26.0.0+incompatible h1:Ng2qi+gdKADUa/VM+6b6YaY2nlZhk/lVJiKR/2bMudU=
+github.com/docker/docker v26.0.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.8.0 h1:YQFtbBQb4VrpoPxhFuzEBPQ9E16qz5SpHLS+uswaCp8=
 github.com/docker/docker-credential-helpers v0.8.0/go.mod h1:UGFXcuoQ5TxPiB54nHOZ32AWRqQdECoh/Mg0AlEYb40=
 github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
@@ -1207,6 +1207,8 @@ github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RR
 github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
 github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
+github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
+github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
 github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=

diff --git a/pkg/agent/plugin/workloadattestor/docker/docker_test.go b/pkg/agent/plugin/workloadattestor/docker/docker_test.go
@@ -194,7 +194,7 @@ func TestDockerConfigDefault(t *testing.T) {
 
 	require.NotNil(t, p.docker)
 	require.Equal(t, dockerclient.DefaultDockerHost, p.docker.(*dockerclient.Client).DaemonHost())
-	require.Equal(t, "1.44", p.docker.(*dockerclient.Client).ClientVersion())
+	require.Equal(t, "1.45", p.docker.(*dockerclient.Client).ClientVersion())
 	verifyConfigDefault(t, p.c)
 }
 

diff --git a/pkg/common/version/version.go b/pkg/common/version/version.go
@@ -8,7 +8,7 @@ const (
 	// IMPORTANT: When updating, make sure to reconcile the versions list that
 	// is part of the upgrade integration test. See
 	// test/integration/suites/upgrade/README.md for details.
-	Base = "1.9.3"
+	Base = "1.9.4"
 )
 
 var (

diff --git a/pkg/server/datastore/sqlstore/migration.go b/pkg/server/datastore/sqlstore/migration.go
@@ -216,12 +216,16 @@ import (
 // | v1.8.7  |        |                                                                           |
 // |---------|        |                                                                           |
 // | v1.8.8  |        |                                                                           |
+// |---------|        |                                                                           |
+// | v1.8.9  |        |                                                                           |
 // |*********|********|***************************************************************************|
 // | v1.9.0  |        |                                                                           |
 // |---------|        |                                                                           |
 // | v1.9.1  |        |                                                                           |
 // |---------|        |                                                                           |
 // | v1.9.2  |        |                                                                           |
+// |---------|        |                                                                           |
+// | v1.9.3  |        |                                                                           |
 // ================================================================================================
 
 const (

diff --git a/pkg/server/datastore/sqlstore/sqlstore.go b/pkg/server/datastore/sqlstore/sqlstore.go
@@ -64,6 +64,9 @@ const (
 
 	// PostgreSQL database type provided by an AWS service
 	AWSPostgreSQL = "aws_postgres"
+
+	// Maximum size for preallocation in a paginated request
+	maxResultPreallocation = 1000
 )
 
 // Configuration for the sql datastore implementation.
@@ -1746,13 +1749,7 @@ func listAttestedNodesOnce(ctx context.Context, db *sqlDB, req *datastore.ListAt
 	}
 	defer rows.Close()
 
-	var nodes []*common.AttestedNode
-	if req.Pagination != nil {
-		nodes = make([]*common.AttestedNode, 0, req.Pagination.PageSize)
-	} else {
-		nodes = make([]*common.AttestedNode, 0, 64)
-	}
-
+	nodes := make([]*common.AttestedNode, 0, calculateResultPreallocation(req.Pagination))
 	pushNode := func(node *common.AttestedNode) {
 		if node != nil && node.SpiffeId != "" {
 			nodes = append(nodes, node)
@@ -2803,15 +2800,7 @@ func listRegistrationEntriesOnce(ctx context.Context, db queryContext, databaseT
 		return nil, sqlError.Wrap(err)
 	}
 	defer rows.Close()
-	var entries []*common.RegistrationEntry
-	if req.Pagination != nil {
-		entries = make([]*common.RegistrationEntry, 0, req.Pagination.PageSize)
-	} else {
-		// start the slice off with a little capacity to avoid the first few
-		// reallocations
-		entries = make([]*common.RegistrationEntry, 0, 64)
-	}
-
+	entries := make([]*common.RegistrationEntry, 0, calculateResultPreallocation(req.Pagination))
 	pushEntry := func(entry *common.RegistrationEntry) {
 		// Due to previous bugs (i.e. #1191), there can be cruft rows related
 		// to a deleted registration entries that are fetched with the list
@@ -4783,3 +4772,14 @@ func isPostgresDbType(dbType string) bool {
 func isSQLiteDbType(dbType string) bool {
 	return dbType == SQLite
 }
+
+func calculateResultPreallocation(pagination *datastore.Pagination) int32 {
+	switch {
+	case pagination == nil:
+		return 64
+	case pagination.PageSize < maxResultPreallocation:
+		return pagination.PageSize
+	default:
+		return maxResultPreallocation
+	}
+}
diff --git a/test/integration/suites/upgrade/versions.txt b/test/integration/suites/upgrade/versions.txt
@@ -7,6 +7,8 @@
 1.8.6
 1.8.7
 1.8.8
+1.8.9
 1.9.0
 1.9.1
 1.9.2
+1.9.3
-Original file line number
+Diff line change
@@ Expand Up / @@ -7,6 +7,8 @@ @@
 .8.6
 .8.7
 .8.8
+.8.9
 .9.0
 .9.1
 .9.2
+.9.3