File 0001-Update-go-restful-to-2.16.0.patch of Package containerized-data-importer.29909
From e18f065548f696496fa2157d494abd08920b5e63 Mon Sep 17 00:00:00 2001
From: Vasiliy Ulyanov <vulyanov@suse.de>
Date: Tue, 19 Jul 2022 09:32:03 +0200
Subject: [PATCH] Update go-restful to 2.16.0
The updated version fixes 'Authorization Bypass Through User-Controlled
Key' vulnerability (CVE-2022-1996).
References:
https://github.com/emicklei/go-restful/issues/489
https://github.com/emicklei/go-restful/pull/503
Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
---
go.mod | 2 +-
go.sum | 3 +-
.../emicklei/go-restful/BUILD.bazel | 1 +
.../github.com/emicklei/go-restful/CHANGES.md | 4 ++
.../emicklei/go-restful/cors_filter.go | 67 ++++++++-----------
.../emicklei/go-restful/parameter.go | 8 +++
.../github.com/emicklei/go-restful/request.go | 8 ++-
.../emicklei/go-restful/response.go | 2 +-
.../github.com/emicklei/go-restful/route.go | 2 +-
.../emicklei/go-restful/route_reader.go | 66 ++++++++++++++++++
.../emicklei/go-restful/web_service.go | 12 ++++
vendor/modules.txt | 2 +-
12 files changed, 133 insertions(+), 44 deletions(-)
create mode 100644 vendor/github.com/emicklei/go-restful/route_reader.go
diff --git a/go.mod b/go.mod
index ce00b1a5..88d938a8 100644
--- a/go.mod
+++ b/go.mod
@@ -9,7 +9,7 @@ require (
github.com/coreos/go-semver v0.3.0
github.com/coreos/prometheus-operator v0.38.1-0.20200424145508-7e176fda06cc
github.com/docker/go-units v0.4.0
- github.com/emicklei/go-restful v2.15.0+incompatible
+ github.com/emicklei/go-restful v2.16.0+incompatible
github.com/emicklei/go-restful-openapi v1.2.0
github.com/ghodss/yaml v1.0.0
github.com/go-logr/logr v1.2.3
diff --git a/go.sum b/go.sum
index de199ab5..ec0be576 100644
--- a/go.sum
+++ b/go.sum
@@ -415,8 +415,9 @@ github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb
github.com/emicklei/go-restful v2.8.1+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
github.com/emicklei/go-restful v2.9.6+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
-github.com/emicklei/go-restful v2.15.0+incompatible h1:8KpYO/Xl/ZudZs5RNOEhWMBY4hmzlZhhRd9cu+jrZP4=
github.com/emicklei/go-restful v2.15.0+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
+github.com/emicklei/go-restful v2.16.0+incompatible h1:rgqiKNjTnFQA6kkhFe16D8epTksy9HQ1MyrbDXSdYhM=
+github.com/emicklei/go-restful v2.16.0+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
github.com/emicklei/go-restful-openapi v1.2.0 h1:ohRZ1yEZERGzqaozBgxa3A0lt6c6KF14xhs3IL9ECwg=
github.com/emicklei/go-restful-openapi v1.2.0/go.mod h1:cy7o3Ge8ZWZ5E90mpEY81sJZZFs2pkuYcLvfngYy1l0=
github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o=
diff --git a/vendor/github.com/emicklei/go-restful/BUILD.bazel b/vendor/github.com/emicklei/go-restful/BUILD.bazel
index b0fd1e67..dd4c043f 100644
--- a/vendor/github.com/emicklei/go-restful/BUILD.bazel
+++ b/vendor/github.com/emicklei/go-restful/BUILD.bazel
@@ -28,6 +28,7 @@ go_library(
"response.go",
"route.go",
"route_builder.go",
+ "route_reader.go",
"router.go",
"service_error.go",
"web_service.go",
diff --git a/vendor/github.com/emicklei/go-restful/CHANGES.md b/vendor/github.com/emicklei/go-restful/CHANGES.md
index f7409d54..3a529947 100644
--- a/vendor/github.com/emicklei/go-restful/CHANGES.md
+++ b/vendor/github.com/emicklei/go-restful/CHANGES.md
@@ -1,5 +1,9 @@
# Change history of go-restful (v2 only)
+## v2.16.0 - 2022-07-11
+
+- Backported CORS filter. #489 (#493) #503
+
## v2.15.0 - 2020-11-10
- Add OPTIONS in Webservice
diff --git a/vendor/github.com/emicklei/go-restful/cors_filter.go b/vendor/github.com/emicklei/go-restful/cors_filter.go
index 1efeef07..9d18dfb7 100644
--- a/vendor/github.com/emicklei/go-restful/cors_filter.go
+++ b/vendor/github.com/emicklei/go-restful/cors_filter.go
@@ -18,9 +18,22 @@ import (
// http://enable-cors.org/server.html
// http://www.html5rocks.com/en/tutorials/cors/#toc-handling-a-not-so-simple-request
type CrossOriginResourceSharing struct {
- ExposeHeaders []string // list of Header names
- AllowedHeaders []string // list of Header names
- AllowedDomains []string // list of allowed values for Http Origin. An allowed value can be a regular expression to support subdomain matching. If empty all are allowed.
+ ExposeHeaders []string // list of Header names
+
+ // AllowedHeaders is alist of Header names. Checking is case-insensitive.
+ // The list may contain the special wildcard string ".*" ; all is allowed
+ AllowedHeaders []string
+
+ // AllowedDomains is a list of allowed values for Http Origin.
+ // The list may contain the special wildcard string ".*" ; all is allowed
+ // If empty all are allowed.
+ AllowedDomains []string
+
+ // AllowedDomainFunc is optional and is a function that will do the check
+ // when the origin is not part of the AllowedDomains and it does not contain the wildcard ".*".
+ AllowedDomainFunc func(origin string) bool
+
+ // AllowedMethods is either empty or has a list of http methods names. Checking is case-insensitive.
AllowedMethods []string
MaxAge int // number of seconds before requiring new Options request
CookiesAllowed bool
@@ -119,36 +132,24 @@ func (c CrossOriginResourceSharing) isOriginAllowed(origin string) bool {
if len(origin) == 0 {
return false
}
+ lowerOrigin := strings.ToLower(origin)
if len(c.AllowedDomains) == 0 {
+ if c.AllowedDomainFunc != nil {
+ return c.AllowedDomainFunc(lowerOrigin)
+ }
return true
}
- allowed := false
+ // exact match on each allowed domain
for _, domain := range c.AllowedDomains {
- if domain == origin {
- allowed = true
- break
+ if domain == ".*" || strings.ToLower(domain) == lowerOrigin {
+ return true
}
}
-
- if !allowed {
- if len(c.allowedOriginPatterns) == 0 {
- // compile allowed domains to allowed origin patterns
- allowedOriginRegexps, err := compileRegexps(c.AllowedDomains)
- if err != nil {
- return false
- }
- c.allowedOriginPatterns = allowedOriginRegexps
- }
-
- for _, pattern := range c.allowedOriginPatterns {
- if allowed = pattern.MatchString(origin); allowed {
- break
- }
- }
+ if c.AllowedDomainFunc != nil {
+ return c.AllowedDomainFunc(origin)
}
-
- return allowed
+ return false
}
func (c CrossOriginResourceSharing) setAllowOriginHeader(req *Request, resp *Response) {
@@ -184,19 +185,9 @@ func (c CrossOriginResourceSharing) isValidAccessControlRequestHeader(header str
if strings.ToLower(each) == strings.ToLower(header) {
return true
}
- }
- return false
-}
-
-// Take a list of strings and compile them into a list of regular expressions.
-func compileRegexps(regexpStrings []string) ([]*regexp.Regexp, error) {
- regexps := []*regexp.Regexp{}
- for _, regexpStr := range regexpStrings {
- r, err := regexp.Compile(regexpStr)
- if err != nil {
- return regexps, err
+ if each == "*" {
+ return true
}
- regexps = append(regexps, r)
}
- return regexps, nil
+ return false
}
diff --git a/vendor/github.com/emicklei/go-restful/parameter.go b/vendor/github.com/emicklei/go-restful/parameter.go
index e8793304..febe2cc1 100644
--- a/vendor/github.com/emicklei/go-restful/parameter.go
+++ b/vendor/github.com/emicklei/go-restful/parameter.go
@@ -20,6 +20,9 @@ const (
// FormParameterKind = indicator of Request parameter type "form"
FormParameterKind
+ // MultiPartFormParameterKind = indicator of Request parameter type "multipart/form-data"
+ MultiPartFormParameterKind
+
// CollectionFormatCSV comma separated values `foo,bar`
CollectionFormatCSV = CollectionFormat("csv")
@@ -94,6 +97,11 @@ func (p *Parameter) beForm() *Parameter {
return p
}
+func (p *Parameter) beMultiPartForm() *Parameter {
+ p.data.Kind = MultiPartFormParameterKind
+ return p
+}
+
// Required sets the required field and returns the receiver
func (p *Parameter) Required(required bool) *Parameter {
p.data.Required = required
diff --git a/vendor/github.com/emicklei/go-restful/request.go b/vendor/github.com/emicklei/go-restful/request.go
index a20730fe..05d76811 100644
--- a/vendor/github.com/emicklei/go-restful/request.go
+++ b/vendor/github.com/emicklei/go-restful/request.go
@@ -17,6 +17,7 @@ type Request struct {
pathParameters map[string]string
attributes map[string]interface{} // for storing request-scoped values
selectedRoutePath string // root path + route path that matched the request, e.g. /meetings/{id}/attendees
+ selectedRoute *Route
}
func NewRequest(httpRequest *http.Request) *Request {
@@ -114,5 +115,10 @@ func (r Request) Attribute(name string) interface{} {
// SelectedRoutePath root path + route path that matched the request, e.g. /meetings/{id}/attendees
func (r Request) SelectedRoutePath() string {
- return r.selectedRoutePath
+ return r.selectedRoute.Path
+}
+
+// SelectedRoute return the Route that selected by the container
+func (r Request) SelectedRoute() RouteReader {
+ return routeAccessor{route: r.selectedRoute}
}
diff --git a/vendor/github.com/emicklei/go-restful/response.go b/vendor/github.com/emicklei/go-restful/response.go
index e2f78f00..8f0b56aa 100644
--- a/vendor/github.com/emicklei/go-restful/response.go
+++ b/vendor/github.com/emicklei/go-restful/response.go
@@ -175,7 +175,7 @@ func (r *Response) WriteHeaderAndJson(status int, value interface{}, contentType
}
// WriteError writes the http status and the error string on the response. err can be nil.
-// Return an error if writing was not succesful.
+// Return an error if writing was not successful.
func (r *Response) WriteError(httpStatus int, err error) (writeErr error) {
r.err = err
if err == nil {
diff --git a/vendor/github.com/emicklei/go-restful/route.go b/vendor/github.com/emicklei/go-restful/route.go
index 598aa57a..6ac26129 100644
--- a/vendor/github.com/emicklei/go-restful/route.go
+++ b/vendor/github.com/emicklei/go-restful/route.go
@@ -69,7 +69,7 @@ func (r *Route) postBuild() {
func (r *Route) wrapRequestResponse(httpWriter http.ResponseWriter, httpRequest *http.Request, pathParams map[string]string) (*Request, *Response) {
wrappedRequest := NewRequest(httpRequest)
wrappedRequest.pathParameters = pathParams
- wrappedRequest.selectedRoutePath = r.Path
+ wrappedRequest.selectedRoute = r
wrappedResponse := NewResponse(httpWriter)
wrappedResponse.requestAccept = httpRequest.Header.Get(HEADER_Accept)
wrappedResponse.routeProduces = r.Produces
diff --git a/vendor/github.com/emicklei/go-restful/route_reader.go b/vendor/github.com/emicklei/go-restful/route_reader.go
new file mode 100644
index 00000000..c9f4ee75
--- /dev/null
+++ b/vendor/github.com/emicklei/go-restful/route_reader.go
@@ -0,0 +1,66 @@
+package restful
+
+// Copyright 2021 Ernest Micklei. All rights reserved.
+// Use of this source code is governed by a license
+// that can be found in the LICENSE file.
+
+type RouteReader interface {
+ Method() string
+ Consumes() []string
+ Path() string
+ Doc() string
+ Notes() string
+ Operation() string
+ ParameterDocs() []*Parameter
+ // Returns a copy
+ Metadata() map[string]interface{}
+ Deprecated() bool
+}
+
+type routeAccessor struct {
+ route *Route
+}
+
+func (r routeAccessor) Method() string {
+ return r.route.Method
+}
+func (r routeAccessor) Consumes() []string {
+ return r.route.Consumes[:]
+}
+func (r routeAccessor) Path() string {
+ return r.route.Path
+}
+func (r routeAccessor) Doc() string {
+ return r.route.Doc
+}
+func (r routeAccessor) Notes() string {
+ return r.route.Notes
+}
+func (r routeAccessor) Operation() string {
+ return r.route.Operation
+}
+func (r routeAccessor) ParameterDocs() []*Parameter {
+ return r.route.ParameterDocs[:]
+}
+
+// Returns a copy
+func (r routeAccessor) Metadata() map[string]interface{} {
+ return copyMap(r.route.Metadata)
+}
+func (r routeAccessor) Deprecated() bool {
+ return r.route.Deprecated
+}
+
+// https://stackoverflow.com/questions/23057785/how-to-copy-a-map
+func copyMap(m map[string]interface{}) map[string]interface{} {
+ cp := make(map[string]interface{})
+ for k, v := range m {
+ vm, ok := v.(map[string]interface{})
+ if ok {
+ cp[k] = copyMap(vm)
+ } else {
+ cp[k] = v
+ }
+ }
+ return cp
+}
diff --git a/vendor/github.com/emicklei/go-restful/web_service.go b/vendor/github.com/emicklei/go-restful/web_service.go
index 2c164a2a..2eac4149 100644
--- a/vendor/github.com/emicklei/go-restful/web_service.go
+++ b/vendor/github.com/emicklei/go-restful/web_service.go
@@ -165,6 +165,18 @@ func FormParameter(name, description string) *Parameter {
return p
}
+// MultiPartFormParameter creates a new Parameter of kind Form (using multipart/form-data) for documentation purposes.
+// It is initialized as required with string as its DataType.
+func (w *WebService) MultiPartFormParameter(name, description string) *Parameter {
+ return MultiPartFormParameter(name, description)
+}
+
+func MultiPartFormParameter(name, description string) *Parameter {
+ p := &Parameter{&ParameterData{Name: name, Description: description, Required: false, DataType: "string"}}
+ p.beMultiPartForm()
+ return p
+}
+
// Route creates a new Route using the RouteBuilder and add to the ordered list of Routes.
func (w *WebService) Route(builder *RouteBuilder) *WebService {
w.routesLock.Lock()
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 8529e234..5fc30854 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -161,7 +161,7 @@ github.com/docker/go-metrics
github.com/docker/go-units
# github.com/elazarl/goproxy v0.0.0-20190911111923-ecfe977594f1
## explicit
-# github.com/emicklei/go-restful v2.15.0+incompatible
+# github.com/emicklei/go-restful v2.16.0+incompatible
## explicit
github.com/emicklei/go-restful
github.com/emicklei/go-restful/log
--
2.37.1