diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 23627e03..f719be8a 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -30,9 +30,9 @@ jobs: with: go-version: ${{ needs.get-go-version.outputs.go-version }} - name: golangci-lint - uses: golangci/golangci-lint-action@a4f60bb28d35aeee14e6880718e0c85ff1882e64 # v6.0.1 + uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 with: - version: v1.60.1 + version: v2.8.0 args: | --verbose only-new-issues: false diff --git a/.go-version b/.go-version index d8c40e53..b45fe310 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.23.6 +1.25.5 diff --git a/.golangci.yml b/.golangci.yml index aed39e02..6e74f433 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -1,15 +1,19 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: MPL-2.0 +version: "2" + linters: - disable-all: true enable: - - gofmt - govet - unconvert - staticcheck - ineffassign - unparam + +formatters: + enable: + - gofmt - goimports run: diff --git a/CHANGELOG.md b/CHANGELOG.md index 41d398c3..c1661387 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,10 +3,14 @@ BUG FIXES * Fix bug where calls to AWS IAM and STS services error out due to URL with multiple trailing slashes. SECURITY -* Upgrade go version to `1.23.6` and crypto to `0.35.0` to address [CVE-2025-22869](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22869) +* Upgrade `golang.org/x/crypto` to `v0.45.0` to address [GO-2025-4134] and [GO-2025-4116] IMPROVEMENTS -* Remove info logs from health sync checks +* Remove info logs from health sync checks +* Bump Go version to `1.25.5` +* Bump `golang.org/x/net` to `v0.47.0` +* Bump `golang.org/x/sys` to `v0.38.0` +* Bump `golang.org/x/text` to `v0.31.0` ## 0.9.0 (Jan 15, 2025) BUG FIXES diff --git a/entrypoint/cmd.go b/entrypoint/cmd.go index b9f30326..08f7197d 100644 --- a/entrypoint/cmd.go +++ b/entrypoint/cmd.go @@ -50,14 +50,14 @@ func (e *Cmd) Run() { defer close(e.doneCh) defer close(e.startedCh) - if err := e.Cmd.Start(); err != nil { + if err := e.Start(); err != nil { e.log.Error("starting process", "error", err.Error()) // Closed channels (in defers) indicate the command failed to start. return } e.startedCh <- struct{}{} - if err := e.Cmd.Wait(); err != nil { + if err := e.Wait(); err != nil { if _, ok := err.(*exec.ExitError); !ok { // Do not log if it is only a non-zero exit code. e.log.Error("waiting for process to finish", "error", err.Error()) diff --git a/go.mod b/go.mod index ff1651bb..8dafe307 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/hashicorp/consul-ecs -go 1.23.6 +go 1.25.5 require ( github.com/aws/aws-sdk-go v1.55.5 @@ -64,11 +64,11 @@ require ( github.com/spf13/cast v1.5.0 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect - golang.org/x/crypto v0.36.0 // indirect + golang.org/x/crypto v0.45.0 // indirect golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 // indirect - golang.org/x/net v0.38.0 // indirect - golang.org/x/sys v0.31.0 // indirect - golang.org/x/text v0.23.0 // indirect + golang.org/x/net v0.47.0 // indirect + golang.org/x/sys v0.38.0 // indirect + golang.org/x/text v0.31.0 // indirect google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect google.golang.org/grpc v1.56.3 // indirect google.golang.org/protobuf v1.33.0 // indirect diff --git a/go.sum b/go.sum index 6d399949..cb5e5e3c 100644 --- a/go.sum +++ b/go.sum @@ -277,8 +277,8 @@ golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3 golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34= -golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc= +golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q= +golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4= golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 h1:m64FZMko/V45gv0bNmrNYoDEq8U5YUhetc9cBWKS1TQ= golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63/go.mod h1:0v4NqG35kSWCMzLaMeX+IQrlSnVE/bqGSyC2cz/9Le8= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -291,8 +291,8 @@ golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8= -golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8= -golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8= +golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY= +golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -300,8 +300,8 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw= -golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA= +golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I= +golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -330,15 +330,15 @@ golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik= -golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc= +golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY= -golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4= +golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM= +golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190907020128-2ca718005c18/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/subcommand/app-entrypoint/command_unix.go b/subcommand/app-entrypoint/command_unix.go index 9065065f..273331dc 100644 --- a/subcommand/app-entrypoint/command_unix.go +++ b/subcommand/app-entrypoint/command_unix.go @@ -45,7 +45,7 @@ func (c *Command) init() { c.flagSet = flag.NewFlagSet("", flag.ContinueOnError) c.flagSet.DurationVar(&c.shutdownDelay, flagShutdownDelay, 0, `Continue running for this long after receiving SIGTERM. Must be a duration (e.g. "10s").`) - logging.Merge(c.flagSet, c.LogOpts.Flags()) + logging.Merge(c.flagSet, c.Flags()) c.started = make(chan struct{}, 1) c.sigs = make(chan os.Signal, 1) diff --git a/subcommand/controller/command_ent_test.go b/subcommand/controller/command_ent_test.go index f165cf82..0d33376f 100644 --- a/subcommand/controller/command_ent_test.go +++ b/subcommand/controller/command_ent_test.go @@ -9,6 +9,20 @@ import ( "testing" ) +const ( + expEntAnonTokenPolicy = ` +partition_prefix "" { + namespace_prefix "" { + node_prefix "" { + policy = "read" + } + service_prefix "" { + policy = "read" + } + } +}` +) + func TestUpsertConsulResourcesEnt(t *testing.T) { testUpsertConsulResources(t, map[string]iamAuthTestCase{ "recreate the partition": { diff --git a/subcommand/controller/command_test.go b/subcommand/controller/command_test.go index 6ab593b5..7ece3613 100644 --- a/subcommand/controller/command_test.go +++ b/subcommand/controller/command_test.go @@ -25,18 +25,6 @@ import ( const ( testPartitionName = "test-partition" - expEntAnonTokenPolicy = ` -partition_prefix "" { - namespace_prefix "" { - node_prefix "" { - policy = "read" - } - service_prefix "" { - policy = "read" - } - } -}` - expOSSAnonTokenPolicy = ` node_prefix "" { policy = "read" diff --git a/subcommand/envoy-entrypoint/command_unix.go b/subcommand/envoy-entrypoint/command_unix.go index bc990343..0bfaa1f1 100644 --- a/subcommand/envoy-entrypoint/command_unix.go +++ b/subcommand/envoy-entrypoint/command_unix.go @@ -41,7 +41,7 @@ type Command struct { func (c *Command) init() { c.flagSet = flag.NewFlagSet("", flag.ContinueOnError) - logging.Merge(c.flagSet, c.LogOpts.Flags()) + logging.Merge(c.flagSet, c.Flags()) c.started = make(chan struct{}, 1) c.sigs = make(chan os.Signal, 1) diff --git a/subcommand/net-dial/command.go b/subcommand/net-dial/command.go index b9a60b33..79202f0f 100644 --- a/subcommand/net-dial/command.go +++ b/subcommand/net-dial/command.go @@ -4,6 +4,7 @@ package netdial import ( + "fmt" "net" "github.com/mitchellh/cli" @@ -23,7 +24,9 @@ func (c *Command) Run(args []string) int { if err != nil { return 2 } - conn.Close() + if err := conn.Close(); err != nil { + fmt.Printf("Warning: failed to close connection: %v\n", err) + } return 0 } diff --git a/subcommand/net-dial/command_test.go b/subcommand/net-dial/command_test.go index 3830408c..b33cabfc 100644 --- a/subcommand/net-dial/command_test.go +++ b/subcommand/net-dial/command_test.go @@ -33,9 +33,15 @@ func TestNetDial(t *testing.T) { require.NoError(t, err) args = append(args, l.Addr().String()) if c.code != 0 { - l.Close() + if err := l.Close(); err != nil { + t.Logf("Failed to close listener: %v", err) + } } else { - t.Cleanup(func() { l.Close() }) + t.Cleanup(func() { + if err := l.Close(); err != nil { + t.Logf("Failed to close listener in cleanup: %v", err) + } + }) } } diff --git a/testutil/aws.go b/testutil/aws.go index e13a7f7c..5c95a893 100644 --- a/testutil/aws.go +++ b/testutil/aws.go @@ -130,11 +130,19 @@ func AuthMethodInit(t *testing.T, consulClient *api.Client, expectedServiceName, require.NoError(t, err) t.Cleanup(func() { - os.Unsetenv("AWS_ACCESS_KEY_ID") - os.Unsetenv("AWS_SECRET_ACCESS_KEY") + if err := os.Unsetenv("AWS_ACCESS_KEY_ID"); err != nil { + t.Logf("Failed to unset AWS_ACCESS_KEY_ID: %v", err) + } + if err := os.Unsetenv("AWS_SECRET_ACCESS_KEY"); err != nil { + t.Logf("Failed to unset AWS_SECRET_ACCESS_KEY: %v", err) + } }) - os.Setenv("AWS_ACCESS_KEY_ID", "fake-key-id") - os.Setenv("AWS_SECRET_ACCESS_KEY", "fake-secret-key") + if err := os.Setenv("AWS_ACCESS_KEY_ID", "fake-key-id"); err != nil { + t.Fatalf("Failed to set AWS_ACCESS_KEY_ID: %v", err) + } + if err := os.Setenv("AWS_SECRET_ACCESS_KEY", "fake-secret-key"); err != nil { + t.Fatalf("Failed to set AWS_SECRET_ACCESS_KEY: %v", err) + } return fakeAws } diff --git a/testutil/iamauthtest/testing.go b/testutil/iamauthtest/testing.go index 665eb9d3..d53ce0bb 100644 --- a/testutil/iamauthtest/testing.go +++ b/testutil/iamauthtest/testing.go @@ -67,22 +67,29 @@ func writeXML(w http.ResponseWriter, val interface{}) { str, err := xml.MarshalIndent(val, "", " ") if err != nil { w.WriteHeader(http.StatusInternalServerError) - fmt.Fprint(w, err.Error()) + if _, writeErr := fmt.Fprint(w, err.Error()); writeErr != nil { + fmt.Printf("Failed to write error response: %v\n", writeErr) + } return } w.Header().Add("Content-Type", "text/xml") w.WriteHeader(http.StatusOK) - fmt.Fprint(w, string(str)) + if _, writeErr := fmt.Fprint(w, string(str)); writeErr != nil { + fmt.Printf("Failed to write XML response: %v\n", writeErr) + } } func writeError(w http.ResponseWriter, code int, r *http.Request) { w.WriteHeader(code) msg := fmt.Sprintf("%s %s", r.Method, r.URL) - fmt.Fprintf(w, ` + if _, writeErr := fmt.Fprintf(w, ` Fake AWS Server Error: %s -`, msg) +`, msg); writeErr != nil { + // Log write error but don't fail the test + fmt.Printf("Failed to write error response: %v\n", writeErr) + } } type Fixture struct { diff --git a/version/version.go b/version/version.go index 00f29c90..d2dbc868 100644 --- a/version/version.go +++ b/version/version.go @@ -42,5 +42,5 @@ func GetHumanVersion() string { } // Strip off any single quotes added by the git information. - return "v" + strings.Replace(version, "'", "", -1) + return "v" + strings.ReplaceAll(version, "'", "") }