Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

suggestions for API #2

Merged
merged 1 commit into from
Dec 15, 2023
Merged

suggestions for API #2

merged 1 commit into from
Dec 15, 2023

Conversation

thaJeztah
Copy link

Based on some discussions in the maintainers call;

  • remove "features" from the API definition, instead documenting it as a "well-known" status field. This keeps the actual definition of the field separate from the API specification, but documenting it as "well-known" property still allows it to be recognisable as a "soft" contract.
  • change the "features" field to use a namespaced property ("org.opencontainers.runtime.features") to avoid possible collisions.
  • daemon.runtimeStatus(): pass context so that we can use the context-logger
  • daemon.runtimeStatus(): use structured logs for runtime-name
  • add version-handling code to the /info endpoint to omit the new fields on older API versions.

@thaJeztah
suggestions for API
fd34de1 
Based on some discussions in the maintainers call;

- remove "features" from the API definition, instead documenting it
  as a "well-known" status field. This keeps the actual definition of
  the field separate from the API specification, but documenting it
  as "well-known" property still allows it to be recognisable as a
  "soft" contract.
- change the "features" field to use a namespaced property
  ("org.opencontainers.runtime.features") to avoid possible collisions.
- daemon.runtimeStatus(): pass context so that we can use the context-logger
- daemon.runtimeStatus(): use structured logs for runtime-name
- add version-handling code to the `/info` endpoint to omit the new
  fields on older API versions.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah mentioned this pull request Dec 14, 2023
Merged
AkihiroSuda
AkihiroSuda reviewed Dec 15, 2023
View reviewed changes
daemon/info_unix.go
// OCI runtime spec "features" struct.
//
// see https://github.com/opencontainers/runtime-spec/blob/main/features.md
const ociRuntimeFeaturesKey = "org.opencontainers.runtime.features"
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe:

Suggested change
const ociRuntimeFeaturesKey = "org.opencontainers.runtime.features"
const ociRuntimeFeaturesKey = "org.opencontainers.runtime-spec.features"

@AkihiroSuda
Copy link
Owner

Thanks, will merge and squash

@AkihiroSuda AkihiroSuda merged commit 3c798ff into AkihiroSuda:runtime-status Dec 15, 2023
94 of 103 checks passed
AkihiroSuda pushed a commit that referenced this pull request Mar 15, 2024
@thaJeztah
vendor: google.golang.org/protobuf v1.33.0, github.com/golang/protobu…
1ca89d7 
…f v1.5.4

full diffs:

- protocolbuffers/protobuf-go@v1.31.0...v1.33.0
- golang/protobuf@v1.5.3...v1.5.4

From the Go security announcement list;

> Version v1.33.0 of the google.golang.org/protobuf module fixes a bug in
> the google.golang.org/protobuf/encoding/protojson package which could cause
> the Unmarshal function to enter an infinite loop when handling some invalid
> inputs.
>
> This condition could only occur when unmarshaling into a message which contains
> a google.protobuf.Any value, or when the UnmarshalOptions.UnmarshalUnknown
> option is set. Unmarshal now correctly returns an error when handling these
> inputs.
>
> This is CVE-2024-24786.

In a follow-up post;

> A small correction: This vulnerability applies when the UnmarshalOptions.DiscardUnknown
> option is set (as well as when unmarshaling into any message which contains a
> google.protobuf.Any). There is no UnmarshalUnknown option.
>
> In addition, version 1.33.0 of google.golang.org/protobuf inadvertently
> introduced an incompatibility with the older github.com/golang/protobuf
> module. (golang/protobuf#1596) Users of the older
> module should update to github.com/golang/protobuf@v1.5.4.

govulncheck results in our code:

    govulncheck ./...
    Scanning your code and 1221 packages across 204 dependent modules for known vulnerabilities...

    === Symbol Results ===

    Vulnerability #1: GO-2024-2611
        Infinite loop in JSON unmarshaling in google.golang.org/protobuf
      More info: https://pkg.go.dev/vuln/GO-2024-2611
      Module: google.golang.org/protobuf
        Found in: google.golang.org/protobuf@v1.31.0
        Fixed in: google.golang.org/protobuf@v1.33.0
        Example traces found:
          #1: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls json.Decoder.Peek
          #2: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls json.Decoder.Read
          moby#3: daemon/logger/gcplogs/gcplogging.go:154:18: gcplogs.New calls logging.Client.Ping, which eventually calls protojson.Unmarshal

    Your code is affected by 1 vulnerability from 1 module.
    This scan found no other vulnerabilities in packages you import or modules you
    require.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@thaJeztah @AkihiroSuda