feat: release 2.10.2 (apache#5521)

Co-authored-by: leslie <59061168+leslie-tsang@users.noreply.github.com>
Co-authored-by: 罗泽轩 <spacewanderlzx@gmail.com>

.github/workflows/build.yml

@@ -6,7 +6,7 @@ on:
     paths-ignore:
       - 'docs/**'
   pull_request:
-    branches: [master]
+    branches: [master, 'release/**']
     paths-ignore:
       - 'docs/**'
 

.github/workflows/centos7-ci.yml

@@ -6,7 +6,7 @@ on:
     paths-ignore:
       - 'docs/**'
   pull_request:
-    branches: [master]
+    branches: [master, 'release/**']
     paths-ignore:
       - 'docs/**'
 

.github/workflows/chaos.yml

@@ -2,8 +2,7 @@ name: Chaos Test
 
 on:
   pull_request:
-    branches:
-      - master
+    branches: [master, 'release/**']
     paths-ignore:
       - 'docs/**'
 

.github/workflows/code-lint.yml

@@ -2,7 +2,7 @@ name: Code Lint
 
 on:
   pull_request:
-    branches: [master]
+    branches: [master, 'release/**']
     paths-ignore:
       - 'docs/**'
 

.github/workflows/doc-lint.yml

@@ -2,7 +2,7 @@ name: Doc Lint
 
 on:
   pull_request:
-    branches: [master]
+    branches: [master, 'release/**']
     paths:
       - '**/*.md'
 

.github/workflows/fuzzing-ci.yaml

@@ -2,13 +2,11 @@ name: fuzzing
 
 on:
   push:
-    branches:
-      - master
+    branches: [master, 'release/**']
     paths-ignore:
       - 'docs/**'
   pull_request:
-    branches:
-      - master
+    branches: [master, 'release/**']
     paths-ignore:
       - 'docs/**'
 

.github/workflows/license-checker.yml

@@ -20,11 +20,9 @@ name: License checker
 
 on:
   push:
-    branches:
-      - master
+    branches: [master, 'release/**']
   pull_request:
-    branches:
-      - master
+    branches: [master, 'release/**']
 
 jobs:
   check-license:

CHANGELOG.md

@@ -23,6 +23,7 @@ title: Changelog
 
 ## Table of Contents
 
+- [2.10.2](#2102)
 - [2.10.1](#2101)
 - [2.10.0](#2100)
 - [2.9.0](#290)
@@ -47,6 +48,23 @@ title: Changelog
 - [0.7.0](#070)
 - [0.6.0](#060)
 
+## 2.10.2
+
+### Bugfix
+
+- fix: response.set_header should remove header like request.set_header [#5499](https://github.com/apache/apisix/pull/5499)
+- fix(batch-requests): correct the client ip in the pipeline [#5476](https://github.com/apache/apisix/pull/5476)
+- fix(upstream): load imbalance when it's referred by multiple routes [#5462](https://github.com/apache/apisix/pull/5462)
+- fix(hmac-auth): check if the X-HMAC-ALGORITHM header is missing [#5467](https://github.com/apache/apisix/pull/5467)
+- fix: prevent being hacked by untrusted request_uri [#5458](https://github.com/apache/apisix/pull/5458)
+- fix(admin): modify boolean parameters with PATCH [#5434](https://github.com/apache/apisix/pull/5432)
+- fix(traffic-split): multiple rules with multiple weighted_upstreams under each rule cause upstream_key duplicate [#5414](https://github.com/apache/apisix/pull/5414)
+- fix: add handler for invalid basic auth header values [#5419](https://github.com/apache/apisix/pull/5419)
+
+### Change
+
+- change: log insensitive consumer info only [#5445](https://github.com/apache/apisix/pull/5445)
+
 ## 2.10.1
 
 ### Bugfix

apisix/admin/init.lua

@@ -157,7 +157,7 @@ local function run()
 
     if req_body then
         local data, err = core.json.decode(req_body)
-        if not data then
+        if err then
             core.log.error("invalid request body: ", req_body, " err: ", err)
             core.response.exit(400, {error_msg = "invalid request body: " .. err,
                                      req_body = req_body})

apisix/admin/routes.lua

@@ -247,7 +247,7 @@ function _M.patch(id, conf, sub_path, args)
         return 400, {error_msg = "missing route id"}
     end
 
-    if not conf then
+    if conf == nil then
         return 400, {error_msg = "missing new configuration"}
     end
 

apisix/cli/ops.lua

@@ -416,6 +416,26 @@ Please modify "admin_key" in conf/config.yaml .
         util.die("missing apisix.proxy_cache for plugin proxy-cache\n")
     end
 
+    if enabled_plugins["batch-requests"] then
+        local pass_real_client_ip = false
+        local real_ip_from = yaml_conf.nginx_config.http.real_ip_from
+        -- the real_ip_from is enabled by default, we just need to make sure it's
+        -- not disabled by the users
+        if real_ip_from then
+            for _, ip in ipairs(real_ip_from) do
+                -- TODO: handle cidr
+                if ip == "127.0.0.1" or ip == "0.0.0.0/0" then
+                    pass_real_client_ip = true
+                end
+            end
+        end
+
+        if not pass_real_client_ip then
+            util.die("missing '127.0.0.1' in the nginx_config.http.real_ip_from for plugin " ..
+                     "batch-requests\n")
+        end
+    end
+
     local ports_to_check = {}
 
     -- listen in admin use a separate port, support specific IP, compatible with the original style

apisix/core/ctx.lua

@@ -119,6 +119,12 @@ do
         end
     }
 
+    local no_cacheable_var_names = {
+        -- var.args should not be cached as it can be changed via set_uri_args
+        args = true,
+        is_args = true,
+    }
+
     local ngx_var_names = {
         upstream_scheme            = true,
         upstream_host              = true,
@@ -210,7 +216,7 @@ do
                 val = get_var(key, t._request)
             end
 
-            if val ~= nil then
+            if val ~= nil and not no_cacheable_var_names[key] then
                 t._cache[key] = val
             end
 

apisix/core/response.lua

@@ -100,7 +100,9 @@ local function set_header(append, ...)
     if count == 1 then
         local headers = select(1, ...)
         if type(headers) ~= "table" then
-            error("should be a table if only one argument", 2)
+            -- response.set_header(name, nil)
+            ngx_header[headers] = nil
+            return
         end
 
         for k, v in pairs(headers) do

apisix/core/version.lua

@@ -15,5 +15,5 @@
 -- limitations under the License.
 --
 return {
-    VERSION = "2.10.1"
+    VERSION = "2.10.2"
 }

apisix/init.lua

@@ -367,6 +367,12 @@ function _M.http_access_phase()
         end
     end
 
+    -- To prevent being hacked by untrusted request_uri, here we
+    -- record the normalized but not rewritten uri as request_uri,
+    -- the original request_uri can be accessed via var.real_request_uri
+    api_ctx.var.real_request_uri = api_ctx.var.request_uri
+    api_ctx.var.request_uri = api_ctx.var.uri .. api_ctx.var.is_args .. (api_ctx.var.args or "")
+
     if router.api.has_route_not_under_apisix() or
         core.string.has_prefix(uri, "/apisix/")
     then

apisix/plugins/basic-auth.lua

@@ -80,12 +80,23 @@ local function extract_auth_header(authorization)
             return nil, err
         end
 
+        if not m then
+            return nil, "Invalid authorization header format"
+        end
+
         local decoded = ngx.decode_base64(m[1])
 
+        if not decoded then
+            return nil, "Failed to decode authentication header: " .. m[1]
+        end
+
         local res
         res, err = ngx_re.split(decoded, ":")
         if err then
-            return nil, "split authorization err:" .. err
+            return nil, "Split authorization err:" .. err
+        end
+        if #res < 2 then
+            return nil, "Split authorization err: invalid decoded data: " .. decoded
         end
 
         obj.username = ngx.re.gsub(res[1], "\\s+", "", "jo")

apisix/plugins/batch-requests.lua

@@ -162,6 +162,10 @@ end
 
 
 local function set_common_header(data)
+    local local_conf = core.config.local_conf()
+    local real_ip_hdr = core.table.try_read_attr(local_conf, "nginx_config", "http",
+                                                 "real_ip_header")
+
     local outer_headers = core.request.headers(nil)
     for i,req in ipairs(data.pipeline) do
         for k, v in pairs(data.headers) do
@@ -179,6 +183,8 @@ local function set_common_header(data)
                 end
             end
         end
+
+        req.headers[real_ip_hdr] = core.request.get_remote_client_ip()
     end
 end
 

apisix/plugins/hmac-auth.lua

@@ -291,6 +291,10 @@ local function validate(ctx, params)
         return nil, {message = "access key or signature missing"}
     end
 
+    if not params.algorithm then
+        return nil, {message = "algorithm missing"}
+    end
+
     local consumer, err = get_consumer(params.access_key)
     if err then
         return nil, err

apisix/plugins/traffic-split.lua

@@ -24,6 +24,7 @@ local pairs      = pairs
 local ipairs     = ipairs
 local type       = type
 local table_insert = table.insert
+local tostring   = tostring
 
 local lrucache = core.lrucache.new({
     ttl = 0, count = 512
@@ -187,7 +188,10 @@ local function set_upstream(upstream_info, ctx)
     local matched_route = ctx.matched_route
     up_conf.parent = matched_route
     local upstream_key = up_conf.type .. "#route_" ..
-                         matched_route.value.id .. "_" ..upstream_info.vid
+                         matched_route.value.id .. "_" .. upstream_info.vid
+    if upstream_info.node_tid then
+        upstream_key = upstream_key .. "_" .. upstream_info.node_tid
+    end
     core.log.info("upstream_key: ", upstream_key)
     upstream.set(ctx, upstream_key, ctx.conf_version, up_conf)
 
@@ -203,6 +207,12 @@ local function new_rr_obj(weighted_upstreams)
         elseif upstream_obj.upstream then
             -- Add a virtual id field to uniquely identify the upstream key.
             upstream_obj.upstream.vid = i
+            -- Get the table id of the nodes as part of the upstream_key,
+            -- avoid upstream_key duplicate because vid is the same in the loop
+            -- when multiple rules with multiple weighted_upstreams under each rule.
+            -- see https://github.com/apache/apisix/issues/5276
+            local node_tid = tostring(upstream_obj.upstream.nodes):sub(#"table: " + 1)
+            upstream_obj.upstream.node_tid = node_tid
             server_list[upstream_obj.upstream] = upstream_obj.weight
         else
             -- If the upstream object has only the weight value, it means

apisix/upstream.lua

@@ -273,7 +273,7 @@ function _M.set_by_route(route, api_ctx)
     end
 
     set_directly(api_ctx, up_conf.type .. "#upstream_" .. tostring(up_conf),
-                 api_ctx.conf_version, up_conf)
+                 tostring(up_conf), up_conf)
 
     local nodes_count = up_conf.nodes and #up_conf.nodes or 0
     if nodes_count == 0 then

apisix/utils/log-util.lua

@@ -84,6 +84,13 @@ local function get_full_log(ngx, conf)
         service_id = var.host
     end
 
+    local consumer
+    if ctx.consumer then
+        consumer = {
+            username = ctx.consumer.username
+        }
+    end
+
     local log =  {
         request = {
             url = url,
@@ -105,7 +112,7 @@ local function get_full_log(ngx, conf)
         upstream = var.upstream_addr,
         service_id = service_id,
         route_id = route_id,
-        consumer = ctx.consumer,
+        consumer = consumer,
         client_ip = core.request.get_remote_client_ip(ngx.ctx.api_ctx),
         start_time = ngx.req.start_time() * 1000,
         latency = (ngx.now() - ngx.req.start_time()) * 1000

ci/install-ext-services-via-docker.sh

@@ -24,8 +24,8 @@ docker run --rm -itd -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=123456 -p 8090:
 docker network create kafka-net --driver bridge
 docker run --name zookeeper-server1 -d -p 2181:2181 --network kafka-net -e ALLOW_ANONYMOUS_LOGIN=yes bitnami/zookeeper:3.6.0
 docker run --name zookeeper-server2 -d -p 12181:2181 --network kafka-net -e ALLOW_ANONYMOUS_LOGIN=yes bitnami/zookeeper:3.6.0
-docker run --name kafka-server1 -d --network kafka-net -e ALLOW_PLAINTEXT_LISTENER=yes -e KAFKA_CFG_ZOOKEEPER_CONNECT=zookeeper-server1:2181 -e KAFKA_CFG_ADVERTISED_LISTENERS=PLAINTEXT://127.0.0.1:9092 -p 9092:9092 -e KAFKA_CFG_AUTO_CREATE_TOPICS_ENABLE=true bitnami/kafka:latest
-docker run --name kafka-server2 -d --network kafka-net -e ALLOW_PLAINTEXT_LISTENER=yes -e KAFKA_CFG_ZOOKEEPER_CONNECT=zookeeper-server2:2181 -e KAFKA_CFG_ADVERTISED_LISTENERS=PLAINTEXT://127.0.0.1:9092 -p 19092:9092 -e KAFKA_CFG_AUTO_CREATE_TOPICS_ENABLE=true bitnami/kafka:latest
+docker run --name kafka-server1 -d --network kafka-net -e ALLOW_PLAINTEXT_LISTENER=yes -e KAFKA_CFG_ZOOKEEPER_CONNECT=zookeeper-server1:2181 -e KAFKA_CFG_ADVERTISED_LISTENERS=PLAINTEXT://127.0.0.1:9092 -p 9092:9092 -e KAFKA_CFG_AUTO_CREATE_TOPICS_ENABLE=true bitnami/kafka:2.8.1
+docker run --name kafka-server2 -d --network kafka-net -e ALLOW_PLAINTEXT_LISTENER=yes -e KAFKA_CFG_ZOOKEEPER_CONNECT=zookeeper-server2:2181 -e KAFKA_CFG_ADVERTISED_LISTENERS=PLAINTEXT://127.0.0.1:9092 -p 19092:9092 -e KAFKA_CFG_AUTO_CREATE_TOPICS_ENABLE=true bitnami/kafka:2.8.1
 docker run --name eureka -d -p 8761:8761 --env ENVIRONMENT=apisix --env spring.application.name=apisix-eureka --env server.port=8761 --env eureka.instance.ip-address=127.0.0.1 --env eureka.client.registerWithEureka=true --env eureka.client.fetchRegistry=false --env eureka.client.serviceUrl.defaultZone=http://127.0.0.1:8761/eureka/ bitinit/eureka
 sleep 5
 docker exec -i kafka-server1 /opt/bitnami/kafka/bin/kafka-topics.sh --create --zookeeper zookeeper-server1:2181 --replication-factor 1 --partitions 1 --topic test2

docs/en/latest/config.json

@@ -1,5 +1,5 @@
 {
-  "version": "2.10.1",
+  "version": "2.10.2",
   "sidebar": [
     {
       "type": "category",