chore: fix cve by zirain · Pull Request #6446 · envoyproxy/gateway

zirain · 2025-07-02T01:03:12Z

xref: https://github.com/envoyproxy/gateway/actions/runs/16013418174/job/45175542092

Signed-off-by: zirain <[email protected]>

codecov · 2025-07-02T01:11:44Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 70.92%. Comparing base (70e76c8) to head (2bd6b40).
Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #6446   +/-   ##
=======================================
  Coverage   70.92%   70.92%           
=======================================
  Files         220      220           
  Lines       37256    37256           
=======================================
  Hits        26424    26424           
- Misses       9287     9288    +1     
+ Partials     1545     1544    -1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Signed-off-by: zirain <[email protected]>

* fix cve Signed-off-by: zirain <[email protected]> * lint Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]>

* fix(translator): ext-proc full duplex streamed trailers and validation (#6323) * fix ext proc validation and trailer management for full duplex streamed mode Signed-off-by: Guy Daich <[email protected]> Signed-off-by: shawnh2 <[email protected]> * feat: disable automountServiceAccountToken for proxy and ratelimit (#6364) Signed-off-by: Jeff Davis <[email protected]> * bugfix: make EnvoyPatchPolicy able to replace telemetry cluster (#6367) Signed-off-by: zirain <[email protected]> Signed-off-by: shawnh2 <[email protected]> * feat: add validation of section name for Gateway listener (#6343) * add validation of section name Signed-off-by: kkk777-7 <[email protected]> * update error status reason Signed-off-by: kkk777-7 <[email protected]> * refactor: define as function of validate section name for gateway listener Signed-off-by: kkk777-7 <[email protected]> Signed-off-by: shawnh2 <[email protected]> * fix: add configMap indexers for EEP reconciler (#6369) Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix: use buildEndpointType for access and tracing (#6370) Signed-off-by: zirain <[email protected]> * fix: default accesslog not working (#6441) * fix default accesslog Signed-off-by: zirain <[email protected]> * release notes Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> Signed-off-by: shawnh2 <[email protected]> * chore: fix cve (#6446) * fix cve Signed-off-by: zirain <[email protected]> * lint Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> * fix: Do not set backendRequestTimeout when Retries are set (#6421) * fix: Do not set backendRequestTimeout when Retries are set Signed-off-by: sudipto baral <[email protected]> * fix: update comment Signed-off-by: sudipto baral <[email protected]> --------- Signed-off-by: sudipto baral <[email protected]> * gatewayapi: don't append gwcResource if there's invalid GatewayClass (#6379) * gatewayapi: don't process gloabal resources when acceptedGateways is 0 Signed-off-by: zirain <[email protected]> * update Signed-off-by: zirain <[email protected]> * fix test Signed-off-by: zirain <[email protected]> * don't skip gateways Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> Signed-off-by: shawnh2 <[email protected]> * fix testdata Signed-off-by: shawnh2 <[email protected]> * fix k8s provider controller Signed-off-by: shawnh2 <[email protected]> * fix: retry reconcile on transient errors during reconcile (#6299) * fix: add isTransientError helper to classify retryable errors Introduces isTransientError to detect transient Kubernetes errors and enable proper reconciliation retries. Signed-off-by: Patryk Rostkowski <[email protected]> handle errors from processing BackendRefs Signed-off-by: Huabing (Robin) Zhao <[email protected]> handle errors from processing ConfigMap Signed-off-by: Huabing (Robin) Zhao <[email protected]> * skip invalid GatewayClass Signed-off-by: Huabing (Robin) Zhao <[email protected]> * address comment Signed-off-by: Huabing (Robin) Zhao <[email protected]> * handle all transient errors Signed-off-by: Huabing (Robin) Zhao <[email protected]> * don't skip failed GCs Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Patryk Rostkowski <[email protected]> Signed-off-by: Huabing (Robin) Zhao <[email protected]> Co-authored-by: Huabing (Robin) Zhao <[email protected]> (cherry picked from commit 71ce56f) Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix: fix bug in hostname overlap detection (#6332) fix bug in hostname overlap detection Signed-off-by: Rudrakh Panigrahi <[email protected]> (cherry picked from commit e78e268) Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix telemetry with host port not working (#6460) Signed-off-by: zirain <[email protected]> (cherry picked from commit c0a2ce7) Signed-off-by: Huabing (Robin) Zhao <[email protected]> * bugfix: BackendTlsPolicy should not reference across namespace (#6309) * bugfix: BackendTlsPolicy should not reference across namespace Signed-off-by: zirain <[email protected]> (cherry picked from commit 9925189) Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Guy Daich <[email protected]> Signed-off-by: shawnh2 <[email protected]> Signed-off-by: Jeff Davis <[email protected]> Signed-off-by: zirain <[email protected]> Signed-off-by: kkk777-7 <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> Signed-off-by: sudipto baral <[email protected]> Signed-off-by: Patryk Rostkowski <[email protected]> Signed-off-by: Huabing (Robin) Zhao <[email protected]> Co-authored-by: Guy Daich <[email protected]> Co-authored-by: Jeff Davis <[email protected]> Co-authored-by: zirain <[email protected]> Co-authored-by: Kota Kimura <[email protected]> Co-authored-by: Rudrakh Panigrahi <[email protected]> Co-authored-by: Sudipto Baral <[email protected]> Co-authored-by: Patryk Rostkowski <[email protected]> Co-authored-by: Huabing (Robin) Zhao <[email protected]>

* fix(translator): ext-proc full duplex streamed trailers and validation (envoyproxy#6323) * fix ext proc validation and trailer management for full duplex streamed mode Signed-off-by: Guy Daich <[email protected]> Signed-off-by: shawnh2 <[email protected]> * feat: disable automountServiceAccountToken for proxy and ratelimit (envoyproxy#6364) Signed-off-by: Jeff Davis <[email protected]> * bugfix: make EnvoyPatchPolicy able to replace telemetry cluster (envoyproxy#6367) Signed-off-by: zirain <[email protected]> Signed-off-by: shawnh2 <[email protected]> * feat: add validation of section name for Gateway listener (envoyproxy#6343) * add validation of section name Signed-off-by: kkk777-7 <[email protected]> * update error status reason Signed-off-by: kkk777-7 <[email protected]> * refactor: define as function of validate section name for gateway listener Signed-off-by: kkk777-7 <[email protected]> Signed-off-by: shawnh2 <[email protected]> * fix: add configMap indexers for EEP reconciler (envoyproxy#6369) Signed-off-by: Rudrakh Panigrahi <[email protected]> * fix: use buildEndpointType for access and tracing (envoyproxy#6370) Signed-off-by: zirain <[email protected]> * fix: default accesslog not working (envoyproxy#6441) * fix default accesslog Signed-off-by: zirain <[email protected]> * release notes Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> Signed-off-by: shawnh2 <[email protected]> * chore: fix cve (envoyproxy#6446) * fix cve Signed-off-by: zirain <[email protected]> * lint Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> * fix: Do not set backendRequestTimeout when Retries are set (envoyproxy#6421) * fix: Do not set backendRequestTimeout when Retries are set Signed-off-by: sudipto baral <[email protected]> * fix: update comment Signed-off-by: sudipto baral <[email protected]> --------- Signed-off-by: sudipto baral <[email protected]> * gatewayapi: don't append gwcResource if there's invalid GatewayClass (envoyproxy#6379) * gatewayapi: don't process gloabal resources when acceptedGateways is 0 Signed-off-by: zirain <[email protected]> * update Signed-off-by: zirain <[email protected]> * fix test Signed-off-by: zirain <[email protected]> * don't skip gateways Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]> Signed-off-by: shawnh2 <[email protected]> * fix testdata Signed-off-by: shawnh2 <[email protected]> * fix k8s provider controller Signed-off-by: shawnh2 <[email protected]> * fix: retry reconcile on transient errors during reconcile (envoyproxy#6299) * fix: add isTransientError helper to classify retryable errors Introduces isTransientError to detect transient Kubernetes errors and enable proper reconciliation retries. Signed-off-by: Patryk Rostkowski <[email protected]> handle errors from processing BackendRefs Signed-off-by: Huabing (Robin) Zhao <[email protected]> handle errors from processing ConfigMap Signed-off-by: Huabing (Robin) Zhao <[email protected]> * skip invalid GatewayClass Signed-off-by: Huabing (Robin) Zhao <[email protected]> * address comment Signed-off-by: Huabing (Robin) Zhao <[email protected]> * handle all transient errors Signed-off-by: Huabing (Robin) Zhao <[email protected]> * don't skip failed GCs Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Patryk Rostkowski <[email protected]> Signed-off-by: Huabing (Robin) Zhao <[email protected]> Co-authored-by: Huabing (Robin) Zhao <[email protected]> (cherry picked from commit 71ce56f) Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix: fix bug in hostname overlap detection (envoyproxy#6332) fix bug in hostname overlap detection Signed-off-by: Rudrakh Panigrahi <[email protected]> (cherry picked from commit e78e268) Signed-off-by: Huabing (Robin) Zhao <[email protected]> * fix telemetry with host port not working (envoyproxy#6460) Signed-off-by: zirain <[email protected]> (cherry picked from commit c0a2ce7) Signed-off-by: Huabing (Robin) Zhao <[email protected]> * bugfix: BackendTlsPolicy should not reference across namespace (envoyproxy#6309) * bugfix: BackendTlsPolicy should not reference across namespace Signed-off-by: zirain <[email protected]> (cherry picked from commit 9925189) Signed-off-by: Huabing (Robin) Zhao <[email protected]> --------- Signed-off-by: Guy Daich <[email protected]> Signed-off-by: shawnh2 <[email protected]> Signed-off-by: Jeff Davis <[email protected]> Signed-off-by: zirain <[email protected]> Signed-off-by: kkk777-7 <[email protected]> Signed-off-by: Rudrakh Panigrahi <[email protected]> Signed-off-by: sudipto baral <[email protected]> Signed-off-by: Patryk Rostkowski <[email protected]> Signed-off-by: Huabing (Robin) Zhao <[email protected]> Co-authored-by: Guy Daich <[email protected]> Co-authored-by: Jeff Davis <[email protected]> Co-authored-by: zirain <[email protected]> Co-authored-by: Kota Kimura <[email protected]> Co-authored-by: Rudrakh Panigrahi <[email protected]> Co-authored-by: Sudipto Baral <[email protected]> Co-authored-by: Patryk Rostkowski <[email protected]> Co-authored-by: Huabing (Robin) Zhao <[email protected]> Signed-off-by: shawnh2 <[email protected]>

fix cve

b1280c9

Signed-off-by: zirain <[email protected]>

zirain requested a review from a team as a code owner July 2, 2025 01:03

lint

2bd6b40

Signed-off-by: zirain <[email protected]>

arkodg approved these changes Jul 2, 2025

View reviewed changes

arkodg requested review from a team July 2, 2025 02:10

arkodg added the cherrypick/release-v1.4.2 label Jul 2, 2025

zhaohuabing approved these changes Jul 2, 2025

View reviewed changes

zirain enabled auto-merge (squash) July 2, 2025 02:12

zirain merged commit 3489680 into envoyproxy:main Jul 2, 2025
45 of 47 checks passed

zirain deleted the fix-cve branch July 2, 2025 02:16

shawnh2 pushed a commit to shawnh2/gateway that referenced this pull request Jul 2, 2025

chore: fix cve (envoyproxy#6446)

ab908b5

* fix cve Signed-off-by: zirain <[email protected]> * lint Signed-off-by: zirain <[email protected]> --------- Signed-off-by: zirain <[email protected]>

BrewTestBot mentioned this pull request Aug 8, 2025

egctl 1.5.0 Homebrew/homebrew-core#232799

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: fix cve#6446

chore: fix cve#6446
zirain merged 2 commits intoenvoyproxy:mainfrom
zirain:fix-cve

zirain commented Jul 2, 2025

Uh oh!

codecov bot commented Jul 2, 2025 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

zirain commented Jul 2, 2025

Uh oh!

codecov bot commented Jul 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

codecov bot commented Jul 2, 2025 •

edited

Loading