diff --git a/.github/workflows/go-tests.yml b/.github/workflows/go-tests.yml index be773c2b0e..744a398b5a 100644 --- a/.github/workflows/go-tests.yml +++ b/.github/workflows/go-tests.yml @@ -376,7 +376,7 @@ jobs: runs-on: ${{ needs.setup.outputs.compute-xl }} repository-name: ${{ github.repository }} go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consulprem consuldev' || '' }}" - go-version: "1.19.10" + go-version: "1.19" permissions: id-token: write # NOTE: this permission is explicitly required for Vault auth. contents: read @@ -395,12 +395,7 @@ jobs: runs-on: ${{ needs.setup.outputs.compute-xl }} repository-name: ${{ github.repository }} go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consulprem consuldev' || '' }}" - # pinning this to 1.20.5 because this issue in go-testcontainers occurs - # in 1.20.6 with the error "http: invalid Host header, host port waiting failed" - # https://github.com/testcontainers/testcontainers-go/issues/1359 - # remove setting this when the above issue is fixed so that the reusable - # job will just get the go version from go.mod. - go-version: "1.20.5" + go-version: "1.20" permissions: id-token: write # NOTE: this permission is explicitly required for Vault auth. contents: read @@ -438,6 +433,7 @@ jobs: runs-on: ${{ needs.setup.outputs.compute-xl }} repository-name: ${{ github.repository }} go-tags: "${{ github.event.repository.name == 'consul-enterprise' && 'consulent consulprem consuldev' || '' }}" + go-version: "1.20" permissions: id-token: write # NOTE: this permission is explicitly required for Vault auth. contents: read diff --git a/api/api.go b/api/api.go index 1fe0c71b61..18bb3479c9 100644 --- a/api/api.go +++ b/api/api.go @@ -1000,6 +1000,17 @@ func (r *request) toHTTP() (*http.Request, error) { return nil, err } + // validate that socket communications that do not use the host, detect + // slashes in the host name and replace it with local host. + // this is required since go started validating req.host in 1.20.6 and 1.19.11. + // prior to that they would strip out the slashes for you. They removed that + // behavior and added more strict validation as part of a CVE. + // https://github.com/golang/go/issues/60374 + // the hope is that + if strings.HasPrefix(r.url.Host, "/") { + r.url.Host = "localhost" + } + req.URL.Host = r.url.Host req.URL.Scheme = r.url.Scheme req.Host = r.url.Host