- Updated to Go 1.21.9 to address CVE-2023-45288

- Limit the preallocation of memory when making paginated requests to the ListEntries and ListAgents RPCs - Bump to v1.9.3 - Update CHANGELOG Signed-off-by: Agustín Martínez Fayó <[email protected]>
spiffe · Apr 4, 2024 · d8de004 · d8de004
1 parent 4285a8b
commit d8de004
Show file tree

Hide file tree

Showing 8 changed files with 42 additions and 20 deletions.
diff --git a/.github/workflows/pr_build.yaml b/.github/workflows/pr_build.yaml
@@ -3,7 +3,7 @@ on:
   pull_request: {}
   workflow_dispatch: {}
 env:
-  GO_VERSION: 1.21.8
+  GO_VERSION: 1.21.9
 permissions:
   contents: read
 

diff --git a/.github/workflows/release_build.yaml b/.github/workflows/release_build.yaml
@@ -4,7 +4,7 @@ on:
     tags:
       - 'v[0-9].[0-9]+.[0-9]+'
 env:
-  GO_VERSION: 1.21.8
+  GO_VERSION: 1.21.9
 jobs:
   cache-deps:
     name: cache-deps (linux)

diff --git a/.go-version b/.go-version
@@ -1 +1 @@
-1.21.8
+1.21.9
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,12 @@
 # Changelog
 
+## [1.9.3] - 2024-04-03
+
+### Security
+
+- Updated to Go 1.21.9 to address CVE-2023-45288
+- Limit the preallocation of memory when making paginated requests to the ListEntries and ListAgents RPCs
+
 ## [1.9.2] - 2024-03-25
 
 ### Added
@@ -52,6 +59,13 @@
 
 - X509-SVIDs issued by the server no longer have the x509UniqueIdentifier attribute as part of the subject (#4862)
 
+## [1.8.9] - 2024-04-03
+
+### Security
+
+- Updated to Go 1.21.9 to address CVE-2023-45288
+- Limit the preallocation of memory when making paginated requests to the ListEntries and ListAgents RPCs
+
 ## [1.8.8] - 2024-03-05
 
 ### Security

diff --git a/pkg/common/version/version.go b/pkg/common/version/version.go
@@ -8,7 +8,7 @@ const (
 	// IMPORTANT: When updating, make sure to reconcile the versions list that
 	// is part of the upgrade integration test. See
 	// test/integration/suites/upgrade/README.md for details.
-	Base = "1.9.2"
+	Base = "1.9.3"
 )
 
 var (

diff --git a/pkg/server/datastore/sqlstore/migration.go b/pkg/server/datastore/sqlstore/migration.go
@@ -216,10 +216,16 @@ import (
 // | v1.8.7  |        |                                                                           |
 // |---------|        |                                                                           |
 // | v1.8.8  |        |                                                                           |
+// |---------|        |                                                                           |
+// | v1.8.9  |        |                                                                           |
 // |*********|********|***************************************************************************|
 // | v1.9.0  |        |                                                                           |
 // |---------|        |                                                                           |
 // | v1.9.1  |        |                                                                           |
+// |---------|        |                                                                           |
+// | v1.9.2  |        |                                                                           |
+// |---------|        |                                                                           |
+// | v1.9.3  |        |                                                                           |
 // ================================================================================================
 
 const (

diff --git a/pkg/server/datastore/sqlstore/sqlstore.go b/pkg/server/datastore/sqlstore/sqlstore.go
@@ -64,6 +64,9 @@ const (
 
 	// PostgreSQL database type provided by an AWS service
 	AWSPostgreSQL = "aws_postgres"
+
+	// Maximum size for preallocation in a paginated request
+	maxResultPreallocation = 1000
 )
 
 // Configuration for the sql datastore implementation.
@@ -1691,13 +1694,7 @@ func listAttestedNodesOnce(ctx context.Context, db *sqlDB, req *datastore.ListAt
 	}
 	defer rows.Close()
 
-	var nodes []*common.AttestedNode
-	if req.Pagination != nil {
-		nodes = make([]*common.AttestedNode, 0, req.Pagination.PageSize)
-	} else {
-		nodes = make([]*common.AttestedNode, 0, 64)
-	}
-
+	nodes := make([]*common.AttestedNode, 0, calculateResultPreallocation(req.Pagination))
 	pushNode := func(node *common.AttestedNode) {
 		if node != nil && node.SpiffeId != "" {
 			nodes = append(nodes, node)
@@ -2758,15 +2755,7 @@ func listRegistrationEntriesOnce(ctx context.Context, db queryContext, databaseT
 	}
 	defer rows.Close()
 
-	var entries []*common.RegistrationEntry
-	if req.Pagination != nil {
-		entries = make([]*common.RegistrationEntry, 0, req.Pagination.PageSize)
-	} else {
-		// start the slice off with a little capacity to avoid the first few
-		// reallocations
-		entries = make([]*common.RegistrationEntry, 0, 64)
-	}
-
+	entries := make([]*common.RegistrationEntry, 0, calculateResultPreallocation(req.Pagination))
 	pushEntry := func(entry *common.RegistrationEntry) {
 		// Due to previous bugs (i.e. #1191), there can be cruft rows related
 		// to a deleted registration entries that are fetched with the list
@@ -4645,3 +4634,14 @@ func isPostgresDbType(dbType string) bool {
 func isSQLiteDbType(dbType string) bool {
 	return dbType == SQLite
 }
+
+func calculateResultPreallocation(pagination *datastore.Pagination) int32 {
+	switch {
+	case pagination == nil:
+		return 64
+	case pagination.PageSize < maxResultPreallocation:
+		return pagination.PageSize
+	default:
+		return maxResultPreallocation
+	}
+}
diff --git a/test/integration/suites/upgrade/versions.txt b/test/integration/suites/upgrade/versions.txt
@@ -7,5 +7,7 @@
 1.8.6
 1.8.7
 1.8.8
+1.8.9
 1.9.0
 1.9.1
+1.9.2