From 10325da2986b243a45d804790645835429b287e0 Mon Sep 17 00:00:00 2001 From: Sanaz Taheri <35961250+staheri14@users.noreply.github.com> Date: Mon, 11 Mar 2024 15:02:27 -0700 Subject: [PATCH] chore: updates to go1.22.1 (#1260) In order to fix the go vulnerabilities that are fixed in the new patch: ``` Vulnerability #1: GO-2024-2610 Errors returned from JSON marshaling may break template escaping in html/template More info: https://pkg.go.dev/vuln/GO-2024-2610 Standard library Found in: html/template@go1.22 Fixed in: html/template@go1.22.1 Example traces found: #1: test/fuzz/rpc/jsonrpc/server/handler.go:30:15: server.Fuzz calls http.ServeMux.ServeHTTP, which eventually calls template.Template.Execute #2: rpc/jsonrpc/server/http_server.go:256:15: server.maxBytesHandler.ServeHTTP calls http.HandlerFunc.ServeHTTP, which eventually calls template.Template.ExecuteTemplate Vulnerability #2: GO-2024-2600 Incorrect forwarding of sensitive headers and cookies on HTTP redirect in net/http More info: https://pkg.go.dev/vuln/GO-2024-2600 Standard library Found in: net/http@go1.22 Fixed in: net/http@go1.22.1 Example traces found: #1: rpc/jsonrpc/client/http_json_client.go:213:34: client.Client.Call calls http.Client.Do #2: libs/cli/setup.go:89:26: cli.Executor.Execute calls cobra.Command.Execute, which eventually calls http.Client.Get #3: p2p/upnp/upnp.go:205:20: upnp.getServiceURL calls http.Get Vulnerability #3: GO-2024-2599 Memory exhaustion in multipart form parsing in net/textproto and net/http More info: https://pkg.go.dev/vuln/GO-2024-2599 Standard library Found in: net/textproto@go1.22 Fixed in: net/textproto@go1.22.1 Example traces found: #1: rpc/jsonrpc/server/http_server.go:62:16: server.Serve calls http.Server.Serve, which eventually calls textproto.Reader.ReadLine #2: rpc/jsonrpc/server/http_server.go:62:16: server.Serve calls http.Server.Serve, which eventually calls textproto.Reader.ReadMIMEHeader Vulnerability #4: GO-2024-2598 Verify panics on certificates with an unknown public key algorithm in crypto/x509 More info: https://pkg.go.dev/vuln/GO-2024-2598 Standard library Found in: crypto/x509@go1.22 Fixed in: crypto/x509@go1.22.1 Example traces found: #1: libs/autofile/group.go:479:30: autofile.GroupReader.Read calls bufio.Reader.Read, which eventually calls x509.Certificate.Verify Your code is affected by 4 vulnerabilities from the Go standard library. ``` --- .github/workflows/check-generated.yml | 2 +- .github/workflows/coverage.yml | 6 +++--- .github/workflows/e2e-manual.yml | 2 +- .github/workflows/e2e-nightly-34x.yml | 2 +- .github/workflows/e2e.yml | 2 +- .github/workflows/fuzz-nightly.yml | 2 +- .github/workflows/govulncheck.yml | 2 +- .github/workflows/pre-release.yml | 2 +- .github/workflows/release-version.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/tests.yml | 4 ++-- DOCKER/Dockerfile | 2 +- README.md | 2 +- go.mod | 2 +- scripts/proto-gen.sh | 2 +- test/docker/Dockerfile | 2 +- test/e2e/docker/Dockerfile | 2 +- 17 files changed, 20 insertions(+), 20 deletions(-) diff --git a/.github/workflows/check-generated.yml b/.github/workflows/check-generated.yml index 58525bf67e..9360e69c8f 100644 --- a/.github/workflows/check-generated.yml +++ b/.github/workflows/check-generated.yml @@ -43,7 +43,7 @@ jobs: steps: - uses: actions/setup-go@v4 with: - go-version: "1.22" + go-version: "1.22.1" - uses: actions/checkout@v3 with: diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 010f43c259..8e20ce20bc 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -12,7 +12,7 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-go@v4 with: - go-version: "1.22" + go-version: "1.22.1" - name: Create a file with all the pkgs run: go list ./... > pkgs.txt - name: Split pkgs into 4 files @@ -48,7 +48,7 @@ jobs: steps: - uses: actions/setup-go@v4 with: - go-version: "1.22" + go-version: "1.22.1" - uses: actions/checkout@v3 - uses: technote-space/get-diff-action@v6 with: @@ -70,7 +70,7 @@ jobs: steps: - uses: actions/setup-go@v4 with: - go-version: "1.22" + go-version: "1.22.1" - uses: actions/checkout@v3 - uses: technote-space/get-diff-action@v6 with: diff --git a/.github/workflows/e2e-manual.yml b/.github/workflows/e2e-manual.yml index 8e83db9140..b34d1b47ae 100644 --- a/.github/workflows/e2e-manual.yml +++ b/.github/workflows/e2e-manual.yml @@ -16,7 +16,7 @@ jobs: steps: - uses: actions/setup-go@v4 with: - go-version: '1.22' + go-version: '1.22.1' - uses: actions/checkout@v3 diff --git a/.github/workflows/e2e-nightly-34x.yml b/.github/workflows/e2e-nightly-34x.yml index 90763bf680..cedac714a4 100644 --- a/.github/workflows/e2e-nightly-34x.yml +++ b/.github/workflows/e2e-nightly-34x.yml @@ -23,7 +23,7 @@ jobs: steps: - uses: actions/setup-go@v4 with: - go-version: '1.22' + go-version: '1.22.1' - uses: actions/checkout@v3 with: diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index 08a97b9e85..e0dd7a15de 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -14,7 +14,7 @@ jobs: steps: - uses: actions/setup-go@v4 with: - go-version: '1.22' + go-version: '1.22.1' - uses: actions/checkout@v3 - uses: technote-space/get-diff-action@v6 with: diff --git a/.github/workflows/fuzz-nightly.yml b/.github/workflows/fuzz-nightly.yml index 468b12aea2..e3303fbd7d 100644 --- a/.github/workflows/fuzz-nightly.yml +++ b/.github/workflows/fuzz-nightly.yml @@ -11,7 +11,7 @@ jobs: steps: - uses: actions/setup-go@v4 with: - go-version: '1.22' + go-version: '1.22.1' - uses: actions/checkout@v3 diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml index 04a3377e93..61432caac0 100644 --- a/.github/workflows/govulncheck.yml +++ b/.github/workflows/govulncheck.yml @@ -16,7 +16,7 @@ jobs: steps: - uses: actions/setup-go@v3 with: - go-version: "1.22" + go-version: "1.22.1" - uses: actions/checkout@v3 - uses: technote-space/get-diff-action@v6 with: diff --git a/.github/workflows/pre-release.yml b/.github/workflows/pre-release.yml index 45d1d6e14c..fd53542e41 100644 --- a/.github/workflows/pre-release.yml +++ b/.github/workflows/pre-release.yml @@ -18,7 +18,7 @@ jobs: - uses: actions/setup-go@v4 with: - go-version: '1.22' + go-version: '1.22.1' # Similar check to ./release-version.yml, but enforces this when pushing # tags. The ./release-version.yml check can be bypassed and is mainly diff --git a/.github/workflows/release-version.yml b/.github/workflows/release-version.yml index 4f620ea24f..324c64b415 100644 --- a/.github/workflows/release-version.yml +++ b/.github/workflows/release-version.yml @@ -15,7 +15,7 @@ jobs: - uses: actions/setup-go@v4 with: - go-version: '1.22' + go-version: '1.22.1' - name: Check version run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d616cbfcda..9e89cb7d0e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,7 +16,7 @@ jobs: - uses: actions/setup-go@v4 with: - go-version: '1.22' + go-version: '1.22.1' - name: Generate release notes run: | diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 1c0e558d92..ab3a1c48ed 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -25,7 +25,7 @@ jobs: steps: - uses: actions/setup-go@v4 with: - go-version: "1.22" + go-version: "1.22.1" - uses: actions/checkout@v3 - uses: technote-space/get-diff-action@v6 with: @@ -58,7 +58,7 @@ jobs: # steps: # - uses: actions/setup-go@v3 # with: - # go-version: "1.22" + # go-version: "1.22.1" # - uses: actions/checkout@v3 # - uses: technote-space/get-diff-action@v6 # with: diff --git a/DOCKER/Dockerfile b/DOCKER/Dockerfile index a5188db391..a99e55a316 100644 --- a/DOCKER/Dockerfile +++ b/DOCKER/Dockerfile @@ -1,6 +1,6 @@ # Use a build arg to ensure that both stages use the same, # hopefully current, go version. -ARG GOLANG_BASE_IMAGE=golang:1.22-alpine +ARG GOLANG_BASE_IMAGE=golang:1.22.1-alpine # stage 1 Generate CometBFT Binary FROM --platform=$BUILDPLATFORM $GOLANG_BASE_IMAGE as builder diff --git a/README.md b/README.md index f625fb496f..a41fb83f01 100644 --- a/README.md +++ b/README.md @@ -50,7 +50,7 @@ This repo intends on preserving the minimal possible diff with [cometbft/cometbf - **specific to Celestia**: consider if [celestia-app](https://github.com/celestiaorg/celestia-app) is a better target - **not specific to Celestia**: consider making the contribution upstream in CometBFT -1. [Install Go](https://go.dev/doc/install) 1.22+ +1. [Install Go](https://go.dev/doc/install) 1.22.1+ 2. Fork this repo 3. Clone your fork 4. Find an issue to work on (see [good first issues](https://github.com/celestiaorg/celestia-core/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22)) diff --git a/go.mod b/go.mod index b3ea1e7067..8acd74b097 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/cometbft/cometbft -go 1.22 +go 1.22.1 require ( github.com/BurntSushi/toml v1.2.1 diff --git a/scripts/proto-gen.sh b/scripts/proto-gen.sh index 0420088fd3..97eecb9576 100755 --- a/scripts/proto-gen.sh +++ b/scripts/proto-gen.sh @@ -10,7 +10,7 @@ cd "$(git rev-parse --show-toplevel)" # Run inside Docker to install the correct versions of the required tools # without polluting the local system. -docker run --rm -i -v "$PWD":/w --workdir=/w golang:1.22-alpine sh <<"EOF" +docker run --rm -i -v "$PWD":/w --workdir=/w golang:1.22.1-alpine sh <<"EOF" apk add git make go install github.com/bufbuild/buf/cmd/buf diff --git a/test/docker/Dockerfile b/test/docker/Dockerfile index 1d3a685b2c..3e6bc8183a 100644 --- a/test/docker/Dockerfile +++ b/test/docker/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.22 +FROM golang:1.22.1 # Grab deps (jq, hexdump, xxd, killall) RUN apt-get update && \ diff --git a/test/e2e/docker/Dockerfile b/test/e2e/docker/Dockerfile index 9e53e2e48c..d00386b8a7 100644 --- a/test/e2e/docker/Dockerfile +++ b/test/e2e/docker/Dockerfile @@ -1,7 +1,7 @@ # We need to build in a Linux environment to support C libraries, e.g. RocksDB. # We use Debian instead of Alpine, so that we can use binary database packages # instead of spending time compiling them. -FROM golang:1.22-bullseye +FROM golang:1.22.1-bullseye RUN apt-get -qq update -y && apt-get -qq upgrade -y >/dev/null RUN apt-get -qq install -y libleveldb-dev librocksdb-dev >/dev/null