Skip to content

Fix: upgrade grpc-go to v1.79.3 for CVE-2026-33186#5

Merged
cbullinger merged 2 commits intomainfrom
security/fix-grpc-go-cve-2026-33186
Mar 19, 2026
Merged

Fix: upgrade grpc-go to v1.79.3 for CVE-2026-33186#5
cbullinger merged 2 commits intomainfrom
security/fix-grpc-go-cve-2026-33186

Conversation

@cbullinger
Copy link
Copy Markdown
Collaborator

@cbullinger cbullinger commented Mar 19, 2026
edited
Loading

Summary

  • Upgrades the transitive google.golang.org/grpc dependency from v1.78.0 to v1.79.3 to fix a critical authorization bypass vulnerability (CVSS 9.1)

Security Issue Addressed

Critical Severity

  • CVE-2026-33186 (GHSA-p77j-4mvh-x3m3): gRPC-Go authorization bypass via missing leading slash in HTTP/2 :path pseudo-header
    • CVSS Score: 9.1
    • Impact: Authorization interceptors (including grpc/authz) evaluated non-canonical paths, allowing "deny" rules to be bypassed when a fallback "allow" rule was present

Changes

  • Updated google.golang.org/grpc from v1.78.0 to v1.79.3 in go.mod (indirect dependency)
  • Updated go.sum checksums accordingly

Notes

  • grpc-go is a transitive dependency in this project, pulled in by Google Cloud SDK libraries (secretmanager, logging) and OpenTelemetry gRPC instrumentation
  • This project does not import grpc-go directly in any .go source files
  • Build passes with no breakage

Dependabot Alerts Resolved

Resolves https://github.com/grove-platform/github-copier/security/dependabot/1

Test Plan

  • go get google.golang.org/grpc@v1.79.3 succeeded
  • go mod tidy completed cleanly
  • go.mod confirms v1.79.3
  • go build ./... passes
  • Pre-commit hooks pass (gitleaks, golangci-lint)
  • CI pipeline passes

Made with Cursor

@cbullinger
Fix: upgrade google.golang.org/grpc to v1.79.3 for CVE-2026-33186
c7891a6 
Updates the transitive grpc-go dependency from v1.78.0 to v1.79.3
to address a critical (CVSS 9.1) authorization bypass vulnerability
via missing leading slash in the HTTP/2 :path pseudo-header.

Resolves Dependabot alert #1.

Made-with: Cursor
@cbullinger
Fix: add missing #nosec G706 annotations to LogInfo and LogError
5aab606 
LogWarning already had the annotation; LogInfo and LogError use the
same structured logging pattern but were missing it, causing gosec
CI failures.

Made-with: Cursor
dacharyc
dacharyc approved these changes Mar 19, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@dacharyc dacharyc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for fixing this up! 🙏 ✅

Comment thread services/logger.go
// LogInfo writes an info-level log.
func LogInfo(message string, args ...any) {
slog.Info(message, args...)
slog.Info(message, args...) // #nosec G706 -- structured logging; args are key-value pairs, not user input
Copy link
Copy Markdown
Collaborator

@dacharyc dacharyc Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's... fun...

@cbullinger cbullinger merged commit cc2eabe into main Mar 19, 2026
7 checks passed
@cbullinger cbullinger deleted the security/fix-grpc-go-cve-2026-33186 branch March 19, 2026 15:02
cbullinger added a commit that referenced this pull request Apr 22, 2026
@cbullinger
review: address review-medium and polish items
3c8e092 
- handleRepoPermission: return {allowed, error?} per repo instead of a
  raw bool map. The frontend now shows GitHub rate-limit / transient
  errors in replay-button tooltips instead of generic "no access". UI
  keeps boolean-shape compat for partial rollouts. (review #7)

- githubCreateVersionTag: apply the same ghUsernameRe / ghRepoNameRe
  whitelist + url.PathEscape treatment ghAPIGetRepoPermission already
  uses. Also add a ghBranchNameRe check. Env-vars only today, but keeps
  the SSRF hardening story consistent across the package. (review #8)

- sharedGithubHTTPClient package var replaces per-call allocation in
  githubHTTPClient(). (review minor)

- ReleaseAPIMode typed string with ReleaseAPIDisabled /
  ReleaseAPITagCreateEnabled constants. (review minor)

- truncate() is now rune-aware so multi-byte LLM output isn't cut
  mid-glyph in error logs. (review minor)

- Replay delivery IDs append a 3-byte random suffix so two replays in
  the same millisecond can't collide on the trace ring. (review minor)

- Anthropic fallback model list trimmed to one stable alias
  (claude-haiku-4-5). Listing rotating dated IDs here ships dead
  dropdown options on every Claude release. (review #9)

- Normalize the Anthropic default model to the aliased form
  ("claude-haiku-4-5") in configs/environment.go and llm_anthropic.go
  so every default path matches ci.yml and env-cloudrun.yaml. (review #10)

- AI settings UI hint calls out that settings are process-global,
  affect all operators, and revert on restart. Fixes the "two operators
  clobber each other silently" footgun. (review #5)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dacharyc dacharyc dacharyc approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cbullinger @dacharyc