Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update module go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.44.0 [security] (master) #135

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): update module go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.44.0 [security] (master) #135

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 24, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.20.0 -> v0.44.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-45142

Summary

This handler wrapper https://github.com/open-telemetry/opentelemetry-go-contrib/blob/5f7e6ad5a49b45df45f61a1deb29d7f1158032df/instrumentation/net/http/otelhttp/handler.go#L63-L65
out of the box adds labels

  • http.user_agent
  • http.method

that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it.

Details

HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses httpconv.ServerRequest that records every value for HTTP method and User-Agent.

PoC

Send many requests with long randomly generated HTTP methods or/and User agents (e.g. a million) and observe how memory consumption increases during it.

Impact

In order to be affected, the program has to configure a metrics pipeline, use otelhttp.NewHandler wrapper, and does not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc.

Others

It is similar to already reported vulnerabilities

Workaround for affected versions

As a workaround to stop being affected otelhttp.WithFilter() can be used, but it requires manual careful configuration to not log certain requests entirely.

For convenience and safe usage of this library, it should by default mark with the label unknown non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it.

The other possibility is to disable HTTP metrics instrumentation by passing otelhttp.WithMeterProvider option with noop.NewMeterProvider.

Solution provided by upgrading

In PR https://github.com/open-telemetry/opentelemetry-go-contrib/pull/4277, released with package version 0.44.0, the values collected for attribute http.request.method were changed to be restricted to a set of well-known values and other high cardinality attributes were removed.

References

Release Notes

open-telemetry/opentelemetry-go-contrib (go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp)

v0.24.0

Compare Source

0.24.0 - 2021-09-21

Update dependency on the go.opentelemetry.io/otel project to v1.0.0.

v0.23.0

Compare Source

0.23.0 - 2021-09-09

Added
  • Add WithoutSubSpans, WithRedactedHeaders, WithoutHeaders, and WithInsecureHeaders options for otelhttptrace.NewClientTrace. (#​879)
Changed
  • Split go.opentelemetry.io/contrib/propagators module into b3, jaeger, ot modules. (#​985)
  • otelmongodb span attributes, name and span status now conform to specification. (#​769)
  • Migrated EC2 resource detector support from root module go.opentelemetry.io/contrib/detectors/aws to a separate EC2 resource detector module go.opentelemetry.io/contrib/detectors/aws/ec2 (#​1017)
  • Add cloud.provider and cloud.platform to AWS detectors. (#​1043)
  • otelhttptrace.NewClientTrace now redacts known sensitive headers by default. (#​879)
Fixed
  • Fix span not marked as error in otelhttp.Transport when RoundTrip fails with an error. (#​950)

v0.22.0

Compare Source

Added
  • Add the zpages span processor. (#​894)
Changed
  • The b3.B3 type has been removed.
    b3.New() and b3.WithInjectEncoding(encoding) are added to replace it. (#​868)
Fixed
  • Fix deadlocks and race conditions in otelsarama.WrapAsyncProducer.
    The messaging.message_id and messaging.kafka.partition attributes are now not set if a message was not processed. (#​754) (#​755) (#​881)
  • Fix otelsarama.WrapAsyncProducer so that the messages from the Errors channel contain the original Metadata. (#​754)

v0.21.0

Compare Source

0.21.0 - 2021-06-18

Fixed
  • Dockerfile based examples for otelgin and otelmacaron. (#​767)
Changed
  • Supported minimum version of Go bumped from 1.14 to 1.15. (#​787)
  • EKS Resource Detector now use the Kubernetes Go client to obtain the ConfigMap. (#​813)
Removed
  • Remove service name from otelmongodb configuration and span attributes. (#​763)

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Taipei, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate Renovate
Copy link
Contributor Author

renovate bot commented Dec 24, 2024

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum
Command failed: go get -d -t ./...
go: -d flag is deprecated. -d=true is a no-op
go: downloading github.com/rancher/wrangler v1.1.1
go: downloading github.com/urfave/cli v1.22.9
go: downloading k8s.io/client-go v0.24.10
go: downloading k8s.io/klog v1.0.0
go: downloading github.com/harvester/harvester v1.1.2-rc8
go: downloading github.com/harvester/webhook v0.1.4
go: downloading github.com/sirupsen/logrus v1.9.0
go: downloading github.com/kubevirt/api v0.54.0
go: downloading k8s.io/api v0.24.10
go: downloading k8s.io/apimachinery v0.24.10
go: downloading github.com/k8snetworkplumbingwg/network-attachment-definition-client v0.0.0-20200331171230-d50e42f2b669
go: downloading github.com/rancher/lasso v0.0.0-20221227210133-6ea88ca2fbcc
go: downloading github.com/vishvananda/netlink v1.2.1-beta.2
go: downloading k8s.io/klog/v2 v2.80.1
go: downloading github.com/cenk/backoff v2.2.1+incompatible
go: downloading github.com/go-ping/ping v0.0.0-20211014180314-6e2b003bffdd
go: downloading github.com/deckarep/golang-set/v2 v2.1.0
go: downloading github.com/insomniacslk/dhcp v0.0.0-20240710054256-ddd8a41251c9
go: downloading github.com/coreos/go-iptables v0.6.0
go: downloading github.com/achanda/go-sysctl v0.0.0-20160222034550-6be7678c45d2
go: downloading github.com/containernetworking/cni v1.1.2
go: downloading github.com/tidwall/sjson v1.2.5
go: downloading github.com/cpuguy83/go-md2man/v2 v2.0.2
go: downloading github.com/imdario/mergo v0.3.12
go: downloading github.com/spf13/pflag v1.0.5
go: downloading golang.org/x/term v0.18.0
go: downloading github.com/kubernetes-csi/external-snapshotter/v2 v2.1.3
go: downloading github.com/longhorn/longhorn-manager v1.3.1
go: downloading github.com/rancher/steve v0.0.0-20221209194631-acf9d31ce0dd
go: downloading github.com/gorilla/mux v1.8.0
go: downloading github.com/rancher/dynamiclistener v0.3.5
go: downloading k8s.io/apiextensions-apiserver v0.24.10
go: downloading golang.org/x/sync v0.4.0
go: downloading golang.org/x/sys v0.18.0
go: downloading golang.org/x/net v0.23.0
go: downloading k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2
go: downloading github.com/pborman/uuid v1.2.1
go: downloading kubevirt.io/containerized-data-importer-api v1.47.0
go: downloading github.com/gogo/protobuf v1.3.2
go: downloading github.com/google/gofuzz v1.2.0
go: downloading sigs.k8s.io/structured-merge-diff/v4 v4.2.3
go: downloading k8s.io/code-generator v0.24.10
go: downloading k8s.io/gengo v0.0.0-20211129171323-c02415ce4185
go: downloading golang.org/x/tools v0.14.0
go: downloading github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
go: downloading github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74
go: downloading github.com/go-logr/logr v1.2.4
go: downloading github.com/google/uuid v1.3.0
go: downloading github.com/golang/protobuf v1.5.4
go: downloading github.com/google/gnostic v0.5.7-v3refs
go: downloading golang.org/x/time v0.3.0
go: downloading github.com/evanphx/json-patch v5.6.0+incompatible
go: downloading github.com/pkg/errors v0.9.1
go: downloading github.com/u-root/uio v0.0.0-20230220225925-ffce2a382923
go: downloading github.com/mdlayher/packet v1.1.2
go: downloading github.com/tidwall/gjson v1.14.2
go: downloading golang.org/x/crypto v0.21.0
go: downloading kubevirt.io/kubevirt v0.54.0
go: downloading github.com/russross/blackfriday/v2 v2.1.0
go: downloading k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1
go: downloading github.com/k3s-io/helm-controller v0.11.7
go: downloading github.com/kubernetes/dashboard v1.10.1
go: downloading github.com/rancher/rancher v0.0.0-20230124173128-2207cfed1803
go: downloading github.com/jinzhu/copier v0.3.5
go: downloading sigs.k8s.io/controller-runtime v0.13.1
go: downloading github.com/rancher/apiserver v0.0.0-20230120214941-e88c32739dc7
go: downloading github.com/davecgh/go-spew v1.1.1
go: downloading golang.org/x/oauth2 v0.7.0
go: downloading gopkg.in/inf.v0 v0.9.1
go: downloading kubevirt.io/controller-lifecycle-operator-sdk/api v0.0.0-20220329064328-f3cc58c6ed90
go: downloading sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2
go: downloading github.com/json-iterator/go v1.1.12
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading github.com/prometheus/client_golang v1.12.2
go: downloading golang.org/x/text v0.14.0
go: downloading github.com/ghodss/yaml v1.0.0
go: downloading google.golang.org/protobuf v1.33.0
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading sigs.k8s.io/yaml v1.3.0
go: downloading github.com/google/go-cmp v0.5.9
go: downloading github.com/josharian/native v1.1.0
go: downloading github.com/pierrec/lz4/v4 v4.1.15
go: downloading github.com/mdlayher/socket v0.4.1
go: downloading github.com/tidwall/match v1.1.1
go: downloading github.com/tidwall/pretty v1.2.0
go: downloading github.com/emicklei/go-restful/v3 v3.8.0
go: downloading github.com/go-openapi/jsonreference v0.19.6
go: downloading github.com/go-openapi/swag v0.21.1
go: downloading github.com/banzaicloud/logging-operator/pkg/sdk v0.8.16
go: downloading github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.62.0
go: downloading github.com/rancher/rancher/pkg/apis v0.0.0-20230124173128-2207cfed1803
go: downloading github.com/rancher/system-upgrade-controller/pkg/apis v0.0.0-20210727200656-10b094e30007
go: downloading sigs.k8s.io/cluster-api v1.1.4
go: downloading k8s.io/apiserver v0.24.10
go: downloading github.com/gorilla/websocket v1.5.0
go: downloading github.com/rancher/remotedialer v0.2.6-0.20220624190122-ea57207bf2b8
go: downloading k8s.io/kube-aggregator v0.24.10
go: downloading github.com/openshift/custom-resource-status v1.1.2
go: downloading github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
go: downloading github.com/modern-go/reflect2 v1.0.2
go: downloading golang.org/x/mod v0.13.0
go: downloading github.com/beorn7/perks v1.0.1
go: downloading github.com/cespare/xxhash/v2 v2.2.0
go: downloading github.com/prometheus/client_model v0.3.0
go: downloading github.com/prometheus/common v0.32.1
go: downloading github.com/prometheus/procfs v0.7.3
go: downloading github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
go: downloading github.com/gorilla/handlers v1.5.1
go: downloading github.com/longhorn/go-iscsi-helper v0.0.0-20220805034259-7b59e22574bb
go: downloading github.com/PuerkitoBio/purell v1.1.1
go: downloading github.com/go-openapi/jsonpointer v0.19.5
go: downloading github.com/mailru/easyjson v0.7.7
go: downloading github.com/banzaicloud/operator-tools v0.28.10
go: downloading github.com/spf13/cast v1.5.0
go: downloading github.com/rancher/aks-operator v1.0.7
go: downloading github.com/rancher/eks-operator v1.1.5
go: downloading github.com/rancher/fleet/pkg/apis v0.0.0-20230123175930-d296259590be
go: downloading github.com/rancher/gke-operator v1.1.4
go: downloading github.com/rancher/norman v0.0.0-20221205184727-32ef2e185b99
go: downloading github.com/rancher/rke v1.3.18
go: downloading k8s.io/component-base v0.24.10
go: downloading github.com/rancher/kubernetes-provider-detector v0.1.5
go: downloading github.com/adrg/xdg v0.3.1
go: downloading sigs.k8s.io/cli-utils v0.27.0
go: downloading google.golang.org/appengine v1.6.7
go: downloading github.com/matttproud/golang_protobuf_extensions v1.0.4
go: downloading github.com/felixge/httpsnoop v1.0.3
go: downloading github.com/c9s/goprocinfo v0.0.0-20210130143923-c95fcf8c64a8
go: downloading github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578
go: downloading github.com/josharian/intern v1.0.0
go: downloading emperror.dev/errors v0.8.0
go: downloading github.com/iancoleman/orderedmap v0.2.0
go: downloading github.com/blang/semver v3.5.1+incompatible
go: downloading github.com/onsi/gomega v1.20.1
go: downloading github.com/blang/semver/v4 v4.0.0
go: downloading go.opentelemetry.io/otel/trace v0.20.0
go: downloading go.opentelemetry.io/otel v0.20.0
go: downloading github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f
go: downloading go.uber.org/multierr v1.6.0
go: downloading gomodules.xyz/jsonpatch/v2 v2.2.0
go: downloading github.com/gobuffalo/flect v0.2.5
go: downloading github.com/evanphx/json-patch/v5 v5.6.0
go: downloading google.golang.org/grpc v1.56.3
go: downloading sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.35
go: downloading go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0
go: downloading go.opentelemetry.io/contrib v0.20.0
go: downloading go.opentelemetry.io/otel/exporters/otlp v0.20.0
go: downloading go.opentelemetry.io/otel/sdk v0.20.0
go: downloading go.uber.org/atomic v1.8.0
go: downloading github.com/fsnotify/fsnotify v1.5.4
go: downloading go.opentelemetry.io/otel/metric v1.18.0
go: downloading go.opentelemetry.io/otel/sdk/export/metric v0.20.0
go: downloading go.opentelemetry.io/otel/sdk/metric v0.20.0
go: downloading go.opentelemetry.io/proto/otlp v0.7.0
go: downloading google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1
go: downloading github.com/grpc-ecosystem/grpc-gateway v1.16.0
go: downloading go.opentelemetry.io v0.1.0
go: downloading go.opentelemetry.io/otel/metric v1.33.0
go: github.com/harvester/harvester-network-controller/cmd/webhook imports
	github.com/harvester/harvester/pkg/indexeres imports
	github.com/rancher/steve/pkg/server imports
	github.com/rancher/steve/pkg/auth imports
	k8s.io/apiserver/plugin/pkg/authenticator/token/webhook imports
	k8s.io/apiserver/pkg/util/webhook imports
	k8s.io/component-base/traces imports
	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp imports
	go.opentelemetry.io/otel/semconv/v1.17.0: cannot find module providing package go.opentelemetry.io/otel/semconv/v1.17.0
go: github.com/harvester/harvester-network-controller/cmd/webhook imports
	github.com/harvester/harvester/pkg/indexeres imports
	github.com/rancher/steve/pkg/server imports
	github.com/rancher/steve/pkg/auth imports
	k8s.io/apiserver/plugin/pkg/authenticator/token/webhook imports
	k8s.io/apiserver/pkg/util/webhook imports
	k8s.io/component-base/traces imports
	go.opentelemetry.io/otel/exporters/otlp imports
	go.opentelemetry.io/otel/sdk/export/metric imports
	go.opentelemetry.io/otel/metric/number: cannot find module providing package go.opentelemetry.io/otel/metric/number
go: github.com/harvester/harvester-network-controller/cmd/webhook imports
	github.com/harvester/harvester/pkg/indexeres imports
	github.com/rancher/steve/pkg/server imports
	github.com/rancher/steve/pkg/auth imports
	k8s.io/apiserver/plugin/pkg/authenticator/token/webhook imports
	k8s.io/apiserver/pkg/util/webhook imports
	k8s.io/component-base/traces imports
	go.opentelemetry.io/otel/exporters/otlp imports
	go.opentelemetry.io/otel/sdk/metric/controller/basic imports
	go.opentelemetry.io/otel/metric/registry: cannot find module providing package go.opentelemetry.io/otel/metric/registry

@mingshuoqiu
Copy link
Contributor

To fix the error in #135 (comment), needs to update the go.opentelemetry.io/otel, go.opentelemetry.io/otel/sdk, go.opentelemetry.io/otel/trace to >=v.1.20
But it will run into the compile error. Will find out the cause to fix

# go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform
vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform/instrumentation.go:22:63: undefined: commonpb.InstrumentationScope
vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform/instrumentation.go:26:19: undefined: commonpb.InstrumentationScope
vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform/span.go:39:31: undefined: tracepb.ScopeSpans
vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform/span.go:55:25: undefined: tracepb.ScopeSpans
vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform/span.go:70:5: unknown field ScopeSpans in struct literal of type "go.opentelemetry.io/proto/otlp/trace/v1".ResourceSpans
vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform/span.go:70:28: undefined: tracepb.ScopeSpans
vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform/span.go:71:5: unknown field SchemaUrl in struct literal of type "go.opentelemetry.io/proto/otlp/trace/v1".ResourceSpans
vendor/go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform/span.go:83:30: rs.ScopeSpans undefined (type *"go.opentelemetry.io/proto/otlp/trace/v1".ResourceSpans has no field or method ScopeSpans)
# k8s.io/client-go/applyconfigurations/meta/v1
vendor/k8s.io/client-go/applyconfigurations/meta/v1/unstructured.go:64:38: cannot use doc (variable of type *"github.com/google/gnostic/openapiv2".Document) as *"github.com/google/gnostic-models/openapiv2".Document value in argument to proto.NewOpenAPIData
# github.com/rancher/steve/pkg/schema/converter
vendor/github.com/rancher/steve/pkg/schema/converter/openapi.go:66:38: cannot use openapi (variable of type *"github.com/google/gnostic/openapiv2".Document) as *"github.com/google/gnostic-models/openapiv2".Document value in argument to proto.NewOpenAPIData
FATA[0086] exit status 1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@mingshuoqiu mingshuoqiu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mingshuoqiu