[AutoPR- Security] Patch application-gateway-kubernetes-ingress for CVE-2025-30204, CVE-2025-47911 [MEDIUM] (#15886)

Signed-off-by: Kanishk Bansal <kanbansal@microsoft.com>
Co-authored-by: Kanishk Bansal <kanbansal@microsoft.com>
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
Co-authored-by: jykanase <v-jykanase@microsoft.com>

Author: 4 people

SPECS/application-gateway-kubernetes-ingress/CVE-2025-30204.patch

@@ -0,0 +1,169 @@
+From 6a4015ba092822e5b0c92c68552ff613c419bd43 Mon Sep 17 00:00:00 2001
+From: Michael Fridman <mfridman@buf.build>
+Date: Fri, 21 Mar 2025 16:42:51 -0400
+Subject: [PATCH] Backporting 0951d18 to v4
+
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/golang-jwt/jwt/commit/2f0e9add62078527821828c76865661aa7718a84.patch
+---
+ vendor/github.com/dgrijalva/jwt-go/jwt_test.go | 89 ++++++++++++++++++++
+ vendor/github.com/dgrijalva/jwt-go/parser.go   | 36 +++++++-
+ 2 files changed, 122 insertions(+), 3 deletions(-)
+ create mode 100644 vendor/github.com/dgrijalva/jwt-go/jwt_test.go
+
+diff --git a/vendor/github.com/dgrijalva/jwt-go/jwt_test.go b/vendor/github.com/dgrijalva/jwt-go/jwt_test.go
+new file mode 100644
+index 0000000..b01e899
+--- /dev/null
++++ b/vendor/github.com/dgrijalva/jwt-go/jwt_test.go
+@@ -0,0 +1,89 @@
++package jwt
++
++import (
++	"testing"
++)
++
++func TestSplitToken(t *testing.T) {
++	t.Parallel()
++
++	tests := []struct {
++		name     string
++		input    string
++		expected []string
++		isValid  bool
++	}{
++		{
++			name:     "valid token with three parts",
++			input:    "header.claims.signature",
++			expected: []string{"header", "claims", "signature"},
++			isValid:  true,
++		},
++		{
++			name:     "invalid token with two parts only",
++			input:    "header.claims",
++			expected: nil,
++			isValid:  false,
++		},
++		{
++			name:     "invalid token with one part only",
++			input:    "header",
++			expected: nil,
++			isValid:  false,
++		},
++		{
++			name:     "invalid token with extra delimiter",
++			input:    "header.claims.signature.extra",
++			expected: nil,
++			isValid:  false,
++		},
++		{
++			name:     "invalid empty token",
++			input:    "",
++			expected: nil,
++			isValid:  false,
++		},
++		{
++			name:     "valid token with empty parts",
++			input:    "..signature",
++			expected: []string{"", "", "signature"},
++			isValid:  true,
++		},
++		{
++			// We are just splitting the token into parts, so we don't care about the actual values.
++			// It is up to the caller to validate the parts.
++			name:     "valid token with all parts empty",
++			input:    "..",
++			expected: []string{"", "", ""},
++			isValid:  true,
++		},
++		{
++			name:     "invalid token with just delimiters and extra part",
++			input:    "...",
++			expected: nil,
++			isValid:  false,
++		},
++		{
++			name:     "invalid token with many delimiters",
++			input:    "header.claims.signature..................",
++			expected: nil,
++			isValid:  false,
++		},
++	}
++
++	for _, tt := range tests {
++		t.Run(tt.name, func(t *testing.T) {
++			parts, ok := splitToken(tt.input)
++			if ok != tt.isValid {
++				t.Errorf("expected %t, got %t", tt.isValid, ok)
++			}
++			if ok {
++				for i, part := range tt.expected {
++					if parts[i] != part {
++						t.Errorf("expected %s, got %s", part, parts[i])
++					}
++				}
++			}
++		})
++	}
++}
+diff --git a/vendor/github.com/dgrijalva/jwt-go/parser.go b/vendor/github.com/dgrijalva/jwt-go/parser.go
+index 9fddb7d..dbee074 100644
+--- a/vendor/github.com/dgrijalva/jwt-go/parser.go
++++ b/vendor/github.com/dgrijalva/jwt-go/parser.go
+@@ -7,6 +7,8 @@ import (
+ 	"strings"
+ )
+ 
++const tokenDelimiter = "."
++
+ type Parser struct {
+ 	ValidMethods         []string // If populated, only these methods will be considered valid
+ 	UseJSONNumber        bool     // Use JSON Number format in JSON decoder
+@@ -99,9 +101,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
+ // been checked previously in the stack) and you want to extract values from
+ // it.
+ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
+-	parts = strings.Split(tokenString, ".")
+-	if len(parts) != 3 {
+-		return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
++	var ok bool
++	parts, ok = splitToken(tokenString)
++	if !ok {
++		return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
+ 	}
+ 
+ 	token = &Token{Raw: tokenString}
+@@ -151,3 +154,30 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
+ 
+ 	return token, parts, nil
+ }
++
++// splitToken splits a token string into three parts: header, claims, and signature. It will only
++// return true if the token contains exactly two delimiters and three parts. In all other cases, it
++// will return nil parts and false.
++func splitToken(token string) ([]string, bool) {
++	parts := make([]string, 3)
++	header, remain, ok := strings.Cut(token, tokenDelimiter)
++	if !ok {
++		return nil, false
++	}
++	parts[0] = header
++	claims, remain, ok := strings.Cut(remain, tokenDelimiter)
++	if !ok {
++		return nil, false
++	}
++	parts[1] = claims
++	// One more cut to ensure the signature is the last part of the token and there are no more
++	// delimiters. This avoids an issue where malicious input could contain additional delimiters
++	// causing unecessary overhead parsing tokens.
++	signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
++	if unexpected {
++		return nil, false
++	}
++	parts[2] = signature
++
++	return parts, true
++}
+-- 
+2.45.4
+

SPECS/application-gateway-kubernetes-ingress/CVE-2025-47911.patch

@@ -0,0 +1,100 @@
+From a2aa394b94f7201506c00cd6b0b64a2dca2ce6b7 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Mon, 29 Sep 2025 16:33:18 -0700
+Subject: [PATCH] html: impose open element stack size limit
+
+The HTML specification contains a number of algorithms which are
+quadratic in complexity by design. Instead of adding complicated
+workarounds to prevent these cases from becoming extremely expensive in
+pathological cases, we impose a limit of 512 to the size of the stack of
+open elements. It is extremely unlikely that non-adversarial HTML
+documents will ever hit this limit (but if we see cases of this, we may
+want to make the limit configurable via a ParseOption).
+
+Thanks to Guido Vranken and Jakub Ciolek for both independently
+reporting this issue.
+
+Fixes CVE-2025-47911
+Fixes golang/go#75682
+
+Change-Id: I890517b189af4ffbf427d25d3fde7ad7ec3509ad
+Reviewed-on: https://go-review.googlesource.com/c/net/+/709876
+Reviewed-by: Damien Neil <dneil@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/golang/net/commit/59706cdaa8f95502fdec64b67b4c61d6ca58727d.patch
+---
+ vendor/golang.org/x/net/html/escape.go |  2 +-
+ vendor/golang.org/x/net/html/parse.go  | 21 +++++++++++++++++----
+ 2 files changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/html/escape.go b/vendor/golang.org/x/net/html/escape.go
+index d856139..8edd4c4 100644
+--- a/vendor/golang.org/x/net/html/escape.go
++++ b/vendor/golang.org/x/net/html/escape.go
+@@ -218,7 +218,7 @@ func escape(w writer, s string) error {
+ 		case '\r':
+ 			esc = "&#13;"
+ 		default:
+-			panic("unrecognized escape character")
++			panic("html: unrecognized escape character")
+ 		}
+ 		s = s[i+1:]
+ 		if _, err := w.WriteString(esc); err != nil {
+diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
+index 851dc42..ac1fac1 100644
+--- a/vendor/golang.org/x/net/html/parse.go
++++ b/vendor/golang.org/x/net/html/parse.go
+@@ -231,7 +231,14 @@ func (p *parser) addChild(n *Node) {
+ 	}
+ 
+ 	if n.Type == ElementNode {
+-		p.oe = append(p.oe, n)
++		p.insertOpenElement(n)
++	}
++}
++
++func (p *parser) insertOpenElement(n *Node) {
++	p.oe = append(p.oe, n)
++	if len(p.oe) > 512 {
++		panic("html: open stack of elements exceeds 512 nodes")
+ 	}
+ }
+ 
+@@ -786,7 +793,7 @@ func afterHeadIM(p *parser) bool {
+ 			p.im = inFramesetIM
+ 			return true
+ 		case a.Base, a.Basefont, a.Bgsound, a.Link, a.Meta, a.Noframes, a.Script, a.Style, a.Template, a.Title:
+-			p.oe = append(p.oe, p.head)
++			p.insertOpenElement(p.head)
+ 			defer p.oe.remove(p.head)
+ 			return inHeadIM(p)
+ 		case a.Head:
+@@ -2273,9 +2280,13 @@ func (p *parser) parseCurrentToken() {
+ 	}
+ }
+ 
+-func (p *parser) parse() error {
++func (p *parser) parse() (err error) {
++	defer func() {
++		if panicErr := recover(); panicErr != nil {
++			err = fmt.Errorf("%s", panicErr)
++		}
++	}()
+ 	// Iterate until EOF. Any other error will cause an early return.
+-	var err error
+ 	for err != io.EOF {
+ 		// CDATA sections are allowed only in foreign content.
+ 		n := p.oe.top()
+@@ -2304,6 +2315,8 @@ func (p *parser) parse() error {
+ // <tag>s. Conversely, explicit <tag>s in r's data can be silently dropped,
+ // with no corresponding node in the resulting tree.
+ //
++// Parse will reject HTML that is nested deeper than 512 elements.
++//
+ // The input is assumed to be UTF-8 encoded.
+ func Parse(r io.Reader) (*Node, error) {
+ 	return ParseWithOptions(r)
+-- 
+2.45.4
+

SPECS/application-gateway-kubernetes-ingress/application-gateway-kubernetes-ingress.spec

@@ -2,7 +2,7 @@
 Summary:        Application Gateway Ingress Controller
 Name:           application-gateway-kubernetes-ingress
 Version:        1.4.0
-Release:        26%{?dist}
+Release:        27%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -32,6 +32,8 @@ Patch2:         CVE-2021-44716.patch
 Patch3:         CVE-2022-32149.patch
 Patch4:         CVE-2024-45338.patch
 Patch5:         CVE-2024-51744.patch
+Patch6:         CVE-2025-30204.patch
+Patch7:         CVE-2025-47911.patch
 
 BuildRequires:  golang
 %if %{with_check}
@@ -70,6 +72,9 @@ cp appgw-ingress %{buildroot}%{_bindir}/
 %{_bindir}/appgw-ingress
 
 %changelog
+* Wed Feb 18 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.4.0-27
+- Patch for CVE-2025-30204, CVE-2025-47911
+
 * Thu Sep 04 2025 Akhila Guruju <v-guakhila@microsoft.com> - 1.4.0-26
 - Bump release to rebuild with golang
 
@@ -129,7 +134,7 @@ cp appgw-ingress %{buildroot}%{_bindir}/
 * Fri Feb 03 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.4.0-8
 - Bump release to rebuild with go 1.19.5
 
-* Tues Jan 24 2023 Adit Jha <aditjha@microsoft.com> - 1.4.0-7
+* Tue Jan 24 2023 Adit Jha <aditjha@microsoft.com> - 1.4.0-7
 - Bump release to rebuild vendor repoistory which contain patch fix for CVE-2021-4235, CVE-2022-3064
 
 * Wed Jan 18 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.4.0-6