From d6cb78aeb4c8f022157a145cb37640a7207ac440 Mon Sep 17 00:00:00 2001 From: Luis Neto Date: Fri, 6 Feb 2026 10:01:07 +0000 Subject: [PATCH] TUN-10216: TUN fix cloudflare vulnerabilities GO-2026-4340 and GO-2026-4341 * TUN-10216: TUN fix cloudflare vulnerabilities GO-2026-4340 and GO-2026-4341 Closes TUN-10216 --- .ci/image/Dockerfile | 66 +++++++++++++++++------------------ .ci/linux.gitlab-ci.yml | 6 ++-- .ci/mac.gitlab-ci.yml | 2 +- .ci/scripts/mac/install-go.sh | 8 +++-- .ci/scripts/vuln-check.sh | 29 +++++++-------- .ci/windows.gitlab-ci.yml | 4 +-- .gitlab-ci.yml | 4 ++- Dockerfile | 2 +- Dockerfile.amd64 | 2 +- Dockerfile.arm64 | 2 +- 10 files changed, 66 insertions(+), 59 deletions(-) diff --git a/.ci/image/Dockerfile b/.ci/image/Dockerfile index 2336f1d9..033ecc2a 100644 --- a/.ci/image/Dockerfile +++ b/.ci/image/Dockerfile @@ -2,38 +2,38 @@ ARG CLOUDFLARE_DOCKER_REGISTRY_HOST FROM ${CLOUDFLARE_DOCKER_REGISTRY_HOST:-registry.cfdata.org}/stash/cf/debian-images/trixie/main:2026.1.0@sha256:e32092fd01520f5ae7de1fa6bb5a721720900ebeaa48e98f36f6f86168833cd7 RUN apt-get update && \ - apt-get upgrade -y && \ - apt-get install --no-install-recommends --allow-downgrades -y \ - build-essential \ - git \ - go-boring=1.24.11-1 \ - libffi-dev \ - procps \ - python3-dev \ - python3-pip \ - python3-setuptools \ - python3-venv \ - # tool to create msi packages - wixl \ - # install ruby and rpm which are required to install fpm package builder - rpm \ - ruby \ - ruby-dev \ - rubygems \ - # create deb and rpm repository files - reprepro \ - createrepo-c \ - # gcc for cross architecture compilation in arm - gcc-aarch64-linux-gnu \ - libc6-dev-arm64-cross && \ - rm -rf /var/lib/apt/lists/* && \ - # Install fpm gem - gem install fpm --no-document && \ - # Initialize rpm repository, SQL Lite DB - mkdir -p /var/lib/rpm && \ - rpm --initdb && \ - chmod -R 777 /var/lib/rpm && \ - # Create work directory - mkdir -p opt + apt-get upgrade -y && \ + apt-get install --no-install-recommends --allow-downgrades -y \ + build-essential \ + git \ + go-boring=1.24.13-1 \ + libffi-dev \ + procps \ + python3-dev \ + python3-pip \ + python3-setuptools \ + python3-venv \ + # tool to create msi packages + wixl \ + # install ruby and rpm which are required to install fpm package builder + rpm \ + ruby \ + ruby-dev \ + rubygems \ + # create deb and rpm repository files + reprepro \ + createrepo-c \ + # gcc for cross architecture compilation in arm + gcc-aarch64-linux-gnu \ + libc6-dev-arm64-cross && \ + rm -rf /var/lib/apt/lists/* && \ + # Install fpm gem + gem install fpm --no-document && \ + # Initialize rpm repository, SQL Lite DB + mkdir -p /var/lib/rpm && \ + rpm --initdb && \ + chmod -R 777 /var/lib/rpm && \ + # Create work directory + mkdir -p opt WORKDIR /opt diff --git a/.ci/linux.gitlab-ci.yml b/.ci/linux.gitlab-ci.yml index 2f2430db..4554feec 100644 --- a/.ci/linux.gitlab-ci.yml +++ b/.ci/linux.gitlab-ci.yml @@ -1,11 +1,11 @@ .golang-inputs: &golang_inputs runOnMR: true - runOnBranches: '^master$' + runOnBranches: "^master$" outputDir: artifacts runner: linux-x86-8cpu-16gb stage: build golangVersion: "boring-1.24" - imageVersion: "3393-947ec7a@sha256:f81acc2c8ecaa84acb290c43c080702ae3aba6464201a20f9d6eff619be7c878" + imageVersion: "3462-0b23466e0715@sha256:42e8533370666a2463041572293a79e1449001ef803a993e6a860be00858c806" CGO_ENABLED: 1 .default-packaging-job: &packaging-job-defaults @@ -65,7 +65,7 @@ include: - component: $CI_SERVER_FQDN/cloudflare/ci/golang/boring-make@~latest inputs: <<: *golang_inputs - runOnBranches: '^$' + runOnBranches: "^$" stage: validate jobPrefix: vulncheck GOLANG_MAKE_TARGET: vulncheck diff --git a/.ci/mac.gitlab-ci.yml b/.ci/mac.gitlab-ci.yml index 321adf5d..e2401e5e 100644 --- a/.ci/mac.gitlab-ci.yml +++ b/.ci/mac.gitlab-ci.yml @@ -28,7 +28,7 @@ macos-build-cloudflared: &mac-build - '[ "${RUNNER_ARCH}" = "intel" ] && export TARGET_ARCH=amd64' - ARCH=$(uname -m) - echo ARCH=$ARCH - TARGET_ARCH=$TARGET_ARCH - - ./.ci/scripts/mac/install-go.sh + - ./.ci/scripts/mac/install-go.sh "$MAC_GO_VERSION" - BUILD_SCRIPT=.ci/scripts/mac/build.sh - if [[ ! -x ${BUILD_SCRIPT} ]] ; then exit ; fi - set -euo pipefail diff --git a/.ci/scripts/mac/install-go.sh b/.ci/scripts/mac/install-go.sh index 17c084da..bf1d19bf 100755 --- a/.ci/scripts/mac/install-go.sh +++ b/.ci/scripts/mac/install-go.sh @@ -2,9 +2,13 @@ rm -rf /tmp/go export GOCACHE=/tmp/gocache rm -rf $GOCACHE -brew install go@1.24 +if [ -z "$1" ] + then + echo "No go version supplied" +fi + +brew install "$1" go version which go go env - diff --git a/.ci/scripts/vuln-check.sh b/.ci/scripts/vuln-check.sh index a4a82e0e..543492a5 100755 --- a/.ci/scripts/vuln-check.sh +++ b/.ci/scripts/vuln-check.sh @@ -4,13 +4,14 @@ set -e -u # Define the file to store the list of vulnerabilities to ignore. IGNORE_FILE=".vulnignore" +go version # Check if the ignored vulnerabilities file exists. If not, create an empty one. if [ ! -f "$IGNORE_FILE" ]; then - touch "$IGNORE_FILE" - echo "Created an empty file to store ignored vulnerabilities: $IGNORE_FILE" - echo "# Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line." >> "$IGNORE_FILE" - echo "# You can also add comments on the same line after the ID." >> "$IGNORE_FILE" - echo "" >> "$IGNORE_FILE" + touch "$IGNORE_FILE" + echo "Created an empty file to store ignored vulnerabilities: $IGNORE_FILE" + echo "# Add vulnerability IDs (e.g., GO-2022-0450) to ignore, one per line." >>"$IGNORE_FILE" + echo "# You can also add comments on the same line after the ID." >>"$IGNORE_FILE" + echo "" >>"$IGNORE_FILE" fi # Run govulncheck and capture its output. @@ -35,18 +36,18 @@ UNIGNORED_VULNS=$(echo "$VULN_OUTPUT" | grep 'Vulnerability') # If the list of ignored vulnerabilities is not empty, filter them out. if [ -n "$CLEAN_IGNORES" ]; then - UNIGNORED_VULNS=$(echo "$UNIGNORED_VULNS" | grep -vFf <(echo "$CLEAN_IGNORES") || true) + UNIGNORED_VULNS=$(echo "$UNIGNORED_VULNS" | grep -vFf <(echo "$CLEAN_IGNORES") || true) fi # If there are any vulnerabilities that were not in our ignore list, print them and exit with an error. if [ -n "$UNIGNORED_VULNS" ]; then - echo "🚨 Found new, unignored vulnerabilities:" - echo "-------------------------------------" - echo "$UNIGNORED_VULNS" - echo "-------------------------------------" - echo "Exiting with an error. ❌" - exit 1 + echo "🚨 Found new, unignored vulnerabilities:" + echo "-------------------------------------" + echo "$UNIGNORED_VULNS" + echo "-------------------------------------" + echo "Exiting with an error. ❌" + exit 1 else - echo "🎉 No new vulnerabilities found. All clear! ✨" - exit 0 + echo "🎉 No new vulnerabilities found. All clear! ✨" + exit 0 fi diff --git a/.ci/windows.gitlab-ci.yml b/.ci/windows.gitlab-ci.yml index 4a1bb35a..dfc064ec 100644 --- a/.ci/windows.gitlab-ci.yml +++ b/.ci/windows.gitlab-ci.yml @@ -18,7 +18,7 @@ windows-build-cloudflared: <<: *windows-build-defaults stage: build script: - - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\go-wrapper.ps1" "${GO_VERSION}" ".\.ci\scripts\windows\builds.ps1" + - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\go-wrapper.ps1" "${WIN_GO_VERSION}" ".\.ci\scripts\windows\builds.ps1" artifacts: paths: - artifacts/* @@ -73,7 +73,7 @@ windows-component-tests-cloudflared: script: # We have to decode the secret we encoded on the `windows-load-env-variables` job - $env:COMPONENT_TESTS_ORIGINCERT = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($env:COMPONENT_TESTS_ORIGINCERT)) - - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\go-wrapper.ps1" "${GO_VERSION}" ".\.ci\scripts\windows\component-test.ps1" + - powershell -ExecutionPolicy Bypass -File ".\.ci\scripts\windows\go-wrapper.ps1" "${WIN_GO_VERSION}" ".\.ci\scripts\windows\component-test.ps1" artifacts: reports: junit: report.xml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 1b81f6b3..379fc281 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,5 +1,7 @@ variables: - GO_VERSION: "go1.24.11" + GO_VERSION: "1.24.13" + MAC_GO_VERSION: "go@$GO_VERSION" + WIN_GO_VERSION: "go$GO_VERSION" GIT_DEPTH: "0" default: diff --git a/Dockerfile b/Dockerfile index 2cf735ab..8ef07376 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # use a builder image for building cloudflare ARG TARGET_GOOS ARG TARGET_GOARCH -FROM golang:1.24.11 AS builder +FROM golang:1.24.13 AS builder ENV GO111MODULE=on \ CGO_ENABLED=0 \ TARGET_GOOS=${TARGET_GOOS} \ diff --git a/Dockerfile.amd64 b/Dockerfile.amd64 index 871d0e24..bbace987 100644 --- a/Dockerfile.amd64 +++ b/Dockerfile.amd64 @@ -1,5 +1,5 @@ # use a builder image for building cloudflare -FROM golang:1.24.11 AS builder +FROM golang:1.24.13 AS builder ENV GO111MODULE=on \ CGO_ENABLED=0 \ # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual diff --git a/Dockerfile.arm64 b/Dockerfile.arm64 index 6dba868c..d6ec6718 100644 --- a/Dockerfile.arm64 +++ b/Dockerfile.arm64 @@ -1,5 +1,5 @@ # use a builder image for building cloudflare -FROM golang:1.24.11 AS builder +FROM golang:1.24.13 AS builder ENV GO111MODULE=on \ CGO_ENABLED=0 \ # the CONTAINER_BUILD envvar is used set github.com/cloudflare/cloudflared/metrics.Runtime=virtual