Skip to content

Commit

Permalink
- Updated to Go 1.21.9 to address CVE-2023-45288
Browse files Browse the repository at this point in the history
- Limit the preallocation of memory when making paginated requests to the ListEntries and ListAgents RPCs
- Bump to v1.8.9
- Update CHANGELOG

Signed-off-by: Agustín Martínez Fayó <[email protected]>
  • Loading branch information
amartinezfayo committed Apr 4, 2024
1 parent f847aab commit 628489e
Show file tree
Hide file tree
Showing 8 changed files with 30 additions and 20 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/pr_build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ on:
pull_request: {}
workflow_dispatch: {}
env:
GO_VERSION: 1.21.8
GO_VERSION: 1.21.9
permissions:
contents: read

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release_build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ on:
tags:
- 'v[0-9].[0-9]+.[0-9]+'
env:
GO_VERSION: 1.21.8
GO_VERSION: 1.21.9
jobs:
cache-deps:
name: cache-deps (linux)
Expand Down
2 changes: 1 addition & 1 deletion .go-version
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.21.8
1.21.9
7 changes: 7 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,12 @@
# Changelog

## [1.8.9] - 2024-04-03

### Security

- Updated to Go 1.21.9 to address CVE-2023-45288
- Limit the preallocation of memory when making paginated requests to the ListEntries and ListAgents RPCs

## [1.8.8] - 2024-03-05

### Security
Expand Down
2 changes: 1 addition & 1 deletion pkg/common/version/version.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ const (
// IMPORTANT: When updating, make sure to reconcile the versions list that
// is part of the upgrade integration test. See
// test/integration/suites/upgrade/README.md for details.
Base = "1.8.8"
Base = "1.8.9"
)

var (
Expand Down
2 changes: 2 additions & 0 deletions pkg/server/datastore/sqlstore/migration.go
Original file line number Diff line number Diff line change
Expand Up @@ -216,6 +216,8 @@ import (
// | v1.8.7 | | |
// |---------| | |
// | v1.8.8 | | |
// |---------| | |
// | v1.8.9 | | |
// ================================================================================================

const (
Expand Down
32 changes: 16 additions & 16 deletions pkg/server/datastore/sqlstore/sqlstore.go
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,9 @@ const (
PostgreSQL = "postgres"
// SQLite database type
SQLite = "sqlite3"

// Maximum size for preallocation in a paginated request
maxResultPreallocation = 1000
)

// Configuration for the sql datastore implementation.
Expand Down Expand Up @@ -1579,13 +1582,7 @@ func listAttestedNodesOnce(ctx context.Context, db *sqlDB, req *datastore.ListAt
}
defer rows.Close()

var nodes []*common.AttestedNode
if req.Pagination != nil {
nodes = make([]*common.AttestedNode, 0, req.Pagination.PageSize)
} else {
nodes = make([]*common.AttestedNode, 0, 64)
}

nodes := make([]*common.AttestedNode, 0, calculateResultPreallocation(req.Pagination))
pushNode := func(node *common.AttestedNode) {
if node != nil && node.SpiffeId != "" {
nodes = append(nodes, node)
Expand Down Expand Up @@ -2646,15 +2643,7 @@ func listRegistrationEntriesOnce(ctx context.Context, db queryContext, databaseT
}
defer rows.Close()

var entries []*common.RegistrationEntry
if req.Pagination != nil {
entries = make([]*common.RegistrationEntry, 0, req.Pagination.PageSize)
} else {
// start the slice off with a little capacity to avoid the first few
// reallocations
entries = make([]*common.RegistrationEntry, 0, 64)
}

entries := make([]*common.RegistrationEntry, 0, calculateResultPreallocation(req.Pagination))
pushEntry := func(entry *common.RegistrationEntry) {
// Due to previous bugs (i.e. #1191), there can be cruft rows related
// to a deleted registration entries that are fetched with the list
Expand Down Expand Up @@ -4398,3 +4387,14 @@ func lookupSimilarEntry(ctx context.Context, db *sqlDB, tx *gorm.DB, entry *comm
func roundedInSecondsUnix(t time.Time) int64 {
return t.Round(time.Second).Unix()
}

func calculateResultPreallocation(pagination *datastore.Pagination) int32 {
switch {
case pagination == nil:
return 64
case pagination.PageSize < maxResultPreallocation:
return pagination.PageSize
default:
return maxResultPreallocation
}
}
1 change: 1 addition & 0 deletions test/integration/suites/upgrade/versions.txt
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,4 @@
1.8.5
1.8.6
1.8.7
1.8.8

0 comments on commit 628489e

Please sign in to comment.