From 57cf952ea98db70fcf50ec31e1c1057562b0a1df Mon Sep 17 00:00:00 2001 From: sterni Date: Sun, 30 Oct 2022 22:28:02 +0100 Subject: chore(3p/sources): Bump channels & overlays (OpenSSL edition) * //ops/machines/whitby: Disable grafana, since the grafana module was changed upstream in a way that our configuration no longer works. Since the OpenSSL security update is relatively pressing, adapting the grafana configuration beforehand is not a hard requirement. See https://github.com/NixOS/nixpkgs/pull/191768. * //tools/depotfmt: keep Go at version 1.18 to forgo a reformat of the tree. * //nix/buildGo: keep Go at version 1.18, as 1.19 changed the CLI interface (?) in a way that breaks buildGo. * //3p/overlays/tvl: drop upstreamed tdlib upgrade. * //3p/overlays/tvl: patch buf to work around breakage due to git 2.38.1 TODO items for Go are tracked in b/215. Change-Id: Ie08fef49cf3db12e6b5225a8b992a990ddc5b642 Reviewed-on: https://cl.tvl.fyi/c/depot/+/7141 Tested-by: BuildkiteCI Autosubmit: sterni Reviewed-by: grfn Reviewed-by: tazjin --- .../buf-tests-dont-use-file-transport.patch | 64 ++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 third_party/overlays/patches/buf-tests-dont-use-file-transport.patch (limited to 'third_party/overlays/patches/buf-tests-dont-use-file-transport.patch') diff --git a/third_party/overlays/patches/buf-tests-dont-use-file-transport.patch b/third_party/overlays/patches/buf-tests-dont-use-file-transport.patch new file mode 100644 index 000000000000..34be80eb361d --- /dev/null +++ b/third_party/overlays/patches/buf-tests-dont-use-file-transport.patch @@ -0,0 +1,64 @@ +commit e9219b88de5ed37af337ee2d2e71e7ec7c0aad1b +Author: Robbert van Ginkel +Date: Thu Oct 20 16:43:28 2022 -0400 + + Fix git unit test by using fake git server rather than file:// (#1518) + + More recent versions of git fix a CVE by disabling some usage of the + `file://` transport, see + https://github.blog/2022-10-18-git-security-vulnerabilities-announced/#cve-2022-39253. + We were using this transport in tests. + + Instead, use https://git-scm.com/docs/git-http-backend to serve up this + repository locally so we don't have to use the file protocol. This + should be a more accurate tests, since we mostly expect submodules to + come from servers. + +diff --git a/.golangci.yml b/.golangci.yml +index 318d1171..865e03e7 100644 +--- a/.golangci.yml ++++ b/.golangci.yml +@@ -136,3 +136,8 @@ issues: + - linters: + - containedctx + path: private/bufpkg/bufmodule/bufmoduleprotocompile ++ # We should be able to use net/http/cgi in a unit test, in addition the CVE mentions only versions of go < 1.6.3 are affected. ++ - linters: ++ - gosec ++ path: private/pkg/git/git_test.go ++ text: "G504:" +diff --git a/private/pkg/git/git_test.go b/private/pkg/git/git_test.go +index 7b77b6cd..7132054e 100644 +--- a/private/pkg/git/git_test.go ++++ b/private/pkg/git/git_test.go +@@ -17,6 +17,8 @@ package git + import ( + "context" + "errors" ++ "net/http/cgi" ++ "net/http/httptest" + "os" + "os/exec" + "path/filepath" +@@ -213,6 +215,21 @@ func createGitDirs( + runCommand(ctx, t, container, runner, "git", "-C", submodulePath, "add", "test.proto") + runCommand(ctx, t, container, runner, "git", "-C", submodulePath, "commit", "-m", "commit 0") + ++ gitExecPath, err := command.RunStdout(ctx, container, runner, "git", "--exec-path") ++ require.NoError(t, err) ++ t.Log(filepath.Join(string(gitExecPath), "git-http-backend")) ++ // https://git-scm.com/docs/git-http-backend#_description ++ f, err := os.Create(filepath.Join(submodulePath, ".git", "git-daemon-export-ok")) ++ require.NoError(t, err) ++ require.NoError(t, f.Close()) ++ server := httptest.NewServer(&cgi.Handler{ ++ Path: filepath.Join(strings.TrimSpace(string(gitExecPath)), "git-http-backend"), ++ Dir: submodulePath, ++ Env: []string{"GIT_PROJECT_ROOT=" + submodulePath}, ++ }) ++ t.Cleanup(server.Close) ++ submodulePath = server.URL ++ + originPath := filepath.Join(tmpDir, "origin") + require.NoError(t, os.MkdirAll(originPath, 0777)) + runCommand(ctx, t, container, runner, "git", "-C", originPath, "init") -- cgit 1.4.1