Merge remote-tracking branch 'cactus/master'

Author: ewdurbin

.github/workflows/publish-docker.yml

@@ -12,7 +12,7 @@ jobs:
       - name: Setup Go ${{ matrix.goVer }}
         uses: actions/setup-go@v1
         with:
-          go-version: '1.17.x'
+          go-version: '1.19.x'
         id: go
 
       - name: Src Checkout

.github/workflows/unit-tests.yml

@@ -10,7 +10,7 @@ jobs:
     name: Build
     strategy:
       matrix:
-        go: ['1.17.x']
+        go: ['1.19.x']
         platform: [ubuntu-latest]
     runs-on: ${{ matrix.platform }}
     steps:
@@ -34,8 +34,8 @@ jobs:
         env:
           GOPROXY: "https://proxy.golang.org"
         run: |
-          go get honnef.co/go/tools/cmd/staticcheck
-          go get github.com/securego/gosec/cmd/gosec
+          go install honnef.co/go/tools/cmd/staticcheck@2023.1.1
+          go install github.com/securego/gosec/v2/cmd/gosec@latest
           hash -r
           make check
 

CHANGELOG.adoc

@@ -19,6 +19,21 @@ toc::[]
 
 == HEAD
 
+== v2.4.3 - 2023-02-18
+*   update library dependency golang.org/x/net. +
+    refs:
+    link:https://github.com/cactus/go-camo/security/dependabot/3[dependabot-3],
+    link:https://github.com/cactus/go-camo/security/dependabot/4[dependabot-4]
+
+== v2.4.2 - 2023-02-16
+*   update library dependency prometheus, covering CVE-2022-21698. +
+    Note that for go-camo, the issue in the prometheus library was exploitable
+    only when the metrics option/flag (--metrics) is enabled.
+*   build with go1.19.5
+
+== v2.4.1 - 2022-09-28
+*   Rebuild release with go-1.19.1
+
 == v2.4.0 - 2022-01-30
 *   Add support for internal address proxies (HTTP(S)_PROXY). +
     issue #55

Makefile

@@ -54,7 +54,7 @@ setup-gox:
 	@if [ -z "$(shell which gox)" ]; then \
 		echo "* 'gox' command not found."; \
 		echo "  install (or otherwise ensure presence in PATH)"; \
-		echo "  go get github.com/mitchellh/gox"; \
+		echo "  go install github.com/mitchellh/gox"; \
 		exit 1;\
 	fi
 

go.mod

@@ -1,13 +1,27 @@
 module github.com/cactus/go-camo
 
+go 1.19
+
 require (
 	github.com/cactus/mlog v1.0.4
-	github.com/jessevdk/go-flags v1.4.0
-	github.com/prometheus/client_golang v1.11.0
-	github.com/prometheus/common v0.26.0
+	github.com/jessevdk/go-flags v1.5.0
+	github.com/prometheus/client_golang v1.14.0
+	github.com/prometheus/common v0.39.0
 	github.com/xlab/treeprint v1.1.0
-	golang.org/x/net v0.0.0-20210224082022-3d97a244fca7
-	gotest.tools/v3 v3.0.3
+	golang.org/x/net v0.7.0
+	gotest.tools/v3 v3.4.0
 )
 
-go 1.13
+require (
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cactus/tai64 v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/google/go-cmp v0.5.8 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/prometheus/client_model v0.3.0 // indirect
+	github.com/prometheus/procfs v0.8.0 // indirect
+	golang.org/x/sys v0.5.0 // indirect
+	golang.org/x/text v0.7.0 // indirect
+	google.golang.org/protobuf v1.28.1 // indirect
+)

go.sum

@@ -6,7 +6,7 @@ package camo
 
 import (
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -74,7 +74,7 @@ func makeTestReq(testURL string, status int, config Config) (*http.Response, err
 }
 
 func bodyAssert(t *testing.T, expected string, resp *http.Response) {
-	body, err := ioutil.ReadAll(resp.Body)
+	body, err := io.ReadAll(resp.Body)
 	assert.Check(t, err)
 	bodyString := string(body)
 	assert.Check(t, is.Equal(expected, bodyString), "Expected 404 response body but got '%s' instead",

pkg/camo/helpers_test.go

@@ -169,7 +169,13 @@ func (p *Proxy) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	resp, err := p.client.Do(nreq)
 
 	if resp != nil {
-		defer resp.Body.Close()
+		defer func() {
+			if err:= resp.Body.Close(); err != nil {
+				if mlog.HasDebug() {
+					mlog.Debug("error on body close. ignoring.")
+				}
+			}
+		}()
 	}
 
 	if err != nil {

pkg/camo/proxy.go

@@ -9,7 +9,6 @@ import (
 	"bytes"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net"
 	"net/http"
 	"net/http/httptest"
@@ -242,7 +241,7 @@ func TestServerEarlyEOF(t *testing.T) {
 	resp, err := processRequest(req, 200, c, nil)
 	assert.Check(t, err)
 
-	body, err := ioutil.ReadAll(resp.Body)
+	body, err := io.ReadAll(resp.Body)
 	assert.Check(t, err)
 	assert.Check(t, is.Len(body, 0))
 }