|
| 1 | +From b6bb7dacb0086d150cfbd44f1a636c871485b42d Mon Sep 17 00:00:00 2001 |
| 2 | +From: Sindhu Karri <lakarri@microsoft.com> |
| 3 | +Date: Wed, 17 Jul 2024 08:35:51 +0000 |
| 4 | +Subject: [PATCH] Fix CVE-2024-6104 |
| 5 | + |
| 6 | +--- |
| 7 | + .../hashicorp/go-retryablehttp/client.go | 28 ++++++++++++++----- |
| 8 | + 1 file changed, 21 insertions(+), 7 deletions(-) |
| 9 | + |
| 10 | +diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go |
| 11 | +index c9edbd0..1394fbc 100644 |
| 12 | +--- a/vendor/github.com/hashicorp/go-retryablehttp/client.go |
| 13 | ++++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go |
| 14 | +@@ -609,9 +609,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) { |
| 15 | + if logger != nil { |
| 16 | + switch v := logger.(type) { |
| 17 | + case LeveledLogger: |
| 18 | +- v.Debug("performing request", "method", req.Method, "url", req.URL) |
| 19 | ++ v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL)) |
| 20 | + case Logger: |
| 21 | +- v.Printf("[DEBUG] %s %s", req.Method, req.URL) |
| 22 | ++ v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL)) |
| 23 | + } |
| 24 | + } |
| 25 | + |
| 26 | +@@ -666,9 +666,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) { |
| 27 | + if err != nil { |
| 28 | + switch v := logger.(type) { |
| 29 | + case LeveledLogger: |
| 30 | +- v.Error("request failed", "error", err, "method", req.Method, "url", req.URL) |
| 31 | ++ v.Error("request failed", "error", err, "method", req.Method, "url", redactURL(req.URL)) |
| 32 | + case Logger: |
| 33 | +- v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err) |
| 34 | ++ v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), err) |
| 35 | + } |
| 36 | + } else { |
| 37 | + // Call this here to maintain the behavior of logging all requests, |
| 38 | +@@ -704,7 +704,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) { |
| 39 | + |
| 40 | + wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp) |
| 41 | + if logger != nil { |
| 42 | +- desc := fmt.Sprintf("%s %s", req.Method, req.URL) |
| 43 | ++ desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL)) |
| 44 | + if resp != nil { |
| 45 | + desc = fmt.Sprintf("%s (status: %d)", desc, resp.StatusCode) |
| 46 | + } |
| 47 | +@@ -760,11 +760,11 @@ func (c *Client) Do(req *Request) (*http.Response, error) { |
| 48 | + // communicate why |
| 49 | + if err == nil { |
| 50 | + return nil, fmt.Errorf("%s %s giving up after %d attempt(s)", |
| 51 | +- req.Method, req.URL, attempt) |
| 52 | ++ req.Method, redactURL(req.URL), attempt) |
| 53 | + } |
| 54 | + |
| 55 | + return nil, fmt.Errorf("%s %s giving up after %d attempt(s): %w", |
| 56 | +- req.Method, req.URL, attempt, err) |
| 57 | ++ req.Method, redactURL(req.URL), attempt, err) |
| 58 | + } |
| 59 | + |
| 60 | + // Try to read the response body so we can reuse this connection. |
| 61 | +@@ -845,3 +845,17 @@ func (c *Client) StandardClient() *http.Client { |
| 62 | + Transport: &RoundTripper{Client: c}, |
| 63 | + } |
| 64 | + } |
| 65 | ++ |
| 66 | ++// Taken from url.URL#Redacted() which was introduced in go 1.15. |
| 67 | ++// We can switch to using it directly if we'll bump the minimum required go version. |
| 68 | ++func redactURL(u *url.URL) string { |
| 69 | ++ if u == nil { |
| 70 | ++ return "" |
| 71 | ++ } |
| 72 | ++ |
| 73 | ++ ru := *u |
| 74 | ++ if _, has := ru.User.Password(); has { |
| 75 | ++ ru.User = url.UserPassword(ru.User.Username(), "xxxxx") |
| 76 | ++ } |
| 77 | ++ return ru.String() |
| 78 | ++} |
| 79 | +-- |
| 80 | +2.33.8 |
| 81 | + |
0 commit comments