mirror of
https://github.com/moby/moby.git
synced 2026-01-11 18:51:37 +00:00
0aed907a86
This minor release includes 10 security fixes following the security policy:
- net/mail: excessive CPU consumption in ParseAddress
The ParseAddress function constructed domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this could cause excessive CPU consumption.
Thanks to Philippe Antoine (Catena cyber) for reporting this issue.
This is CVE-2025-61725 and Go issue https://go.dev/issue/75680.
- crypto/x509: quadratic complexity when checking name constraints
Due to the design of the name constraint checking algorithm, the processing time
of some inputs scales non-linearly with respect to the size of the certificate.
This affects programs which validate arbitrary certificate chains.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-58187 and Go issue https://go.dev/issue/75681.
- crypto/tls: ALPN negotiation errors can contain arbitrary text
The crypto/tls conn.Handshake method returns an error on the server-side when
ALPN negotation fails which can contain arbitrary attacker controlled
information provided by the client-side of the connection which is not escaped.
This affects programs which log these errors without any additional form of
sanitization, and may allow injection of attacker controlled information into
logs.
Thanks to National Cyber Security Centre Finland for reporting this issue.
This is CVE-2025-58189 and Go issue https://go.dev/issue/75652.
- encoding/pem: quadratic complexity when parsing some invalid inputs
Due to the design of the PEM parsing function, the processing time for some
inputs scales non-linearly with respect to the size of the input.
This affects programs which parse untrusted PEM inputs.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-61723 and Go issue https://go.dev/issue/75676.
- net/url: insufficient validation of bracketed IPv6 hostnames
The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.
Thanks to Enze Wang, Jingcheng Yang and Zehui Miao of Tsinghua University for reporting this issue.
This is CVE-2025-47912 and Go issue https://go.dev/issue/75678.
- encoding/asn1: pre-allocating memory when parsing DER payload can cause memory exhaustion
When parsing DER payloads, memories were being allocated prior to fully validating the payloads.
This permits an attacker to craft a big empty DER payload to cause memory exhaustion in functions such as asn1.Unmarshal, x509.ParseCertificateRequest, and ocsp.ParseResponse.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-58185 and Go issue https://go.dev/issue/75671.
- net/http: lack of limit when parsing cookies can cause memory exhaustion
Despite HTTP headers having a default limit of 1 MB, the number of cookies that can be parsed did not have a limit.
By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.
net/http now limits the number of cookies accepted to 3000, which can be adjusted using the httpcookiemaxnum GODEBUG option.
Thanks to jub0bs for reporting this issue.
This is CVE-2025-58186 and Go issue https://go.dev/issue/75672.
- crypto/x509: panic when validating certificates with DSA public keys
Validating certificate chains which contain DSA public keys can cause programs
to panic, due to a interface cast that assumes they implement the Equal method.
This affects programs which validate arbitrary certificate chains.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-58188 and Go issue https://go.dev/issue/75675.
- archive/tar: unbounded allocation when parsing GNU sparse map
tar.Reader did not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions could cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input could result in large allocations.
Thanks to Harshit Gupta (Mr HAX) - https://www.linkedin.com/in/iam-harshit-gupta/ for reporting this issue.
This is CVE-2025-58183 and Go issue https://go.dev/issue/75677.
- net/textproto: excessive CPU consumption in Reader.ReadResponse
The Reader.ReadResponse function constructed a response string through
repeated string concatenation of lines. When the number of lines in a response is large,
this could cause excessive CPU consumption.
Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-61724 and Go issue https://go.dev/issue/75716.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
362 lines
15 KiB
YAML
362 lines
15 KiB
YAML
version: "2"
|
|
|
|
run:
|
|
# prevent golangci-lint from deducting the go version to lint for through go.mod,
|
|
# which causes it to fallback to go1.17 semantics.
|
|
go: "1.24.8"
|
|
concurrency: 2
|
|
# Only supported with go modules enabled (build flag -mod=vendor only valid when using modules)
|
|
# modules-download-mode: vendor
|
|
|
|
formatters:
|
|
enable:
|
|
- gofmt
|
|
- goimports
|
|
|
|
linters:
|
|
enable:
|
|
- asasalint # Detects "[]any" used as argument for variadic "func(...any)".
|
|
- copyloopvar # Detects places where loop variables are copied.
|
|
- depguard
|
|
- dogsled # Detects assignments with too many blank identifiers.
|
|
- dupword # Detects duplicate words.
|
|
- durationcheck # Detect cases where two time.Duration values are being multiplied in possibly erroneous ways.
|
|
- errorlint # Detects code that will cause problems with the error wrapping scheme introduced in Go 1.13.
|
|
- errchkjson # Detects unsupported types passed to json encoding functions and reports if checks for the returned error can be omitted.
|
|
- exhaustive # Detects missing options in enum switch statements.
|
|
- exptostd # Detects functions from golang.org/x/exp/ that can be replaced by std functions.
|
|
- fatcontext # Detects nested contexts in loops and function literals.
|
|
- forbidigo
|
|
- gocheckcompilerdirectives # Detects invalid go compiler directive comments (//go:).
|
|
- gocritic # Detects for bugs, performance and style issues.
|
|
- gosec # Detects security problems.
|
|
- govet
|
|
- iface # Detects incorrect use of interfaces. Currently only used for "identical" interfaces in the same package.
|
|
- importas
|
|
- ineffassign
|
|
- makezero # Finds slice declarations with non-zero initial length.
|
|
- mirror # Detects wrong mirror patterns of bytes/strings usage.
|
|
- misspell # Detects commonly misspelled English words in comments.
|
|
- nakedret # Detects uses of naked returns.
|
|
- nilnesserr # Detects returning nil errors. It combines the features of nilness and nilerr,
|
|
- nosprintfhostport # Detects misuse of Sprintf to construct a host with port in a URL.
|
|
- reassign # Detects reassigning a top-level variable in another package.
|
|
- revive # Metalinter; drop-in replacement for golint.
|
|
- spancheck # Detects mistakes with OpenTelemetry/Census spans.
|
|
- staticcheck
|
|
- thelper
|
|
- unconvert # Detects unnecessary type conversions.
|
|
- unused
|
|
- usestdlibvars # Detects the possibility to use variables/constants from the Go standard library.
|
|
- wastedassign # Detects wasted assignment statements.
|
|
|
|
disable:
|
|
- errcheck
|
|
- spancheck # FIXME
|
|
|
|
settings:
|
|
depguard:
|
|
rules:
|
|
main:
|
|
deny:
|
|
- pkg: "github.com/stretchr/testify/assert"
|
|
desc: Use "gotest.tools/v3/assert" instead
|
|
- pkg: "github.com/stretchr/testify/require"
|
|
desc: Use "gotest.tools/v3/assert" instead
|
|
- pkg: "github.com/stretchr/testify/suite"
|
|
desc: Do not use
|
|
- pkg: "github.com/containerd/containerd/pkg/userns"
|
|
desc: Use github.com/moby/sys/userns instead.
|
|
- pkg: "github.com/tonistiigi/fsutil"
|
|
desc: The fsutil module does not have a stable API, so we should not have a direct dependency unless necessary.
|
|
- pkg: "github.com/hashicorp/go-multierror"
|
|
desc: "Use errors.Join instead"
|
|
|
|
dupword:
|
|
ignore:
|
|
- "true" # some tests use this as expected output
|
|
- "false" # some tests use this as expected output
|
|
- "root" # for tests using "ls" output with files owned by "root:root"
|
|
|
|
errorlint:
|
|
# Check whether fmt.Errorf uses the %w verb for formatting errors.
|
|
# See the https://github.com/polyfloyd/go-errorlint for caveats.
|
|
errorf: false
|
|
# Check for plain type assertions and type switches.
|
|
asserts: false
|
|
|
|
exhaustive:
|
|
# Program elements to check for exhaustiveness.
|
|
# Default: [ switch ]
|
|
check:
|
|
- switch
|
|
# - map # TODO(thaJeztah): also enable for maps
|
|
# Presence of "default" case in switch statements satisfies exhaustiveness,
|
|
# even if all enum members are not listed.
|
|
# Default: false
|
|
#
|
|
# TODO(thaJeztah): consider not allowing this to catch new values being added (and falling through to "default")
|
|
default-signifies-exhaustive: true
|
|
|
|
forbidigo:
|
|
forbid:
|
|
- pkg: ^sync/atomic$
|
|
pattern: ^atomic\.(Add|CompareAndSwap|Load|Store|Swap).
|
|
msg: Go 1.19 atomic types should be used instead.
|
|
- pkg: ^regexp$
|
|
pattern: ^regexp\.MustCompile
|
|
msg: Use daemon/internal/lazyregexp.New instead.
|
|
- pkg: github.com/vishvananda/netlink$
|
|
pattern: ^netlink\.(Handle\.)?(AddrList|BridgeVlanList|ChainList|ClassList|ConntrackTableList|ConntrackDeleteFilter$|ConntrackDeleteFilters|DevLinkGetDeviceList|DevLinkGetAllPortList|DevlinkGetDeviceParams|FilterList|FouList|GenlFamilyList|GTPPDPList|LinkByName|LinkByAlias|LinkList|LinkSubscribeWithOptions|NeighList$|NeighProxyList|NeighListExecute|NeighSubscribeWithOptions|LinkGetProtinfo|QdiscList|RdmaLinkList|RdmaLinkByName|RdmaLinkDel|RouteList|RouteListFilteredIter|RuleListFiltered$|RouteSubscribeWithOptions|RuleList$|RuleListFiltered|SocketGet|SocketDiagTCPInfo|SocketDiagTCP|SocketDiagUDPInfo|SocketDiagUDP|UnixSocketDiagInfo|UnixSocketDiag|VDPAGetDevConfigList|VDPAGetDevList|VDPAGetMGMTDevList|XfrmPolicyList|XfrmStateList)
|
|
msg: Use internal nlwrap package for EINTR handling.
|
|
- pkg: github.com/moby/moby/v2/internal/nlwrap$
|
|
pattern: ^nlwrap.Handle.(BridgeVlanList|ChainList|ClassList|ConntrackDeleteFilter$|DevLinkGetDeviceList|DevLinkGetAllPortList|DevlinkGetDeviceParams|FilterList|FouList|GenlFamilyList|GTPPDPList|LinkByAlias|LinkSubscribeWithOptions|NeighList$|NeighProxyList|NeighListExecute|NeighSubscribeWithOptions|LinkGetProtinfo|QdiscList|RdmaLinkList|RdmaLinkByName|RdmaLinkDel|RouteListFilteredIter|RuleListFiltered$|RouteSubscribeWithOptions|RuleList$|RuleListFiltered|SocketGet|SocketDiagTCPInfo|SocketDiagTCP|SocketDiagUDPInfo|SocketDiagUDP|UnixSocketDiagInfo|UnixSocketDiag|VDPAGetDevConfigList|VDPAGetDevList|VDPAGetMGMTDevList)
|
|
msg: Add a wrapper to nlwrap.Handle for EINTR handling and update the list in .golangci.yml.
|
|
analyze-types: true
|
|
|
|
gocritic:
|
|
disabled-checks:
|
|
- appendAssign
|
|
- appendCombine
|
|
- assignOp
|
|
- builtinShadow
|
|
- builtinShadowDecl
|
|
- captLocal
|
|
- commentedOutCode
|
|
- deferInLoop
|
|
- dupImport
|
|
- dupSubExpr
|
|
- elseif
|
|
- emptyFallthrough
|
|
- equalFold
|
|
- evalOrder
|
|
- exitAfterDefer
|
|
- exposedSyncMutex
|
|
- filepathJoin
|
|
- hexLiteral
|
|
- hugeParam
|
|
- ifElseChain
|
|
- importShadow
|
|
- indexAlloc
|
|
- methodExprCall
|
|
- nestingReduce
|
|
- nilValReturn
|
|
- octalLiteral
|
|
- paramTypeCombine
|
|
- preferStringWriter
|
|
- ptrToRefParam
|
|
- rangeValCopy
|
|
- redundantSprint
|
|
- regexpMust
|
|
- regexpSimplify
|
|
- singleCaseSwitch
|
|
- sloppyReassign
|
|
- stringXbytes
|
|
- typeAssertChain
|
|
- typeDefFirst
|
|
- typeUnparen
|
|
- uncheckedInlineErr
|
|
- unlambda
|
|
- unnamedResult
|
|
- unnecessaryDefer
|
|
- unslice
|
|
- valSwap
|
|
- whyNoLint
|
|
enable-all: true
|
|
|
|
gosec:
|
|
excludes:
|
|
- G104 # G104: Errors unhandled; (TODO: reduce unhandled errors, or explicitly ignore)
|
|
- G115 # G115: integer overflow conversion; (TODO: verify these: https://github.com/moby/moby/issues/48358)
|
|
- G204 # G204: Subprocess launched with variable; too many false positives.
|
|
- G301 # G301: Expect directory permissions to be 0750 or less (also EXC0009); too restrictive
|
|
- G302 # G302: Expect file permissions to be 0600 or less (also EXC0009); too restrictive
|
|
- G304 # G304: Potential file inclusion via variable.
|
|
- G306 # G306: Expect WriteFile permissions to be 0600 or less (too restrictive; also flags "0o644" permissions)
|
|
- G307 # G307: Deferring unsafe method "*os.File" on type "Close" (also EXC0008); (TODO: evaluate these and fix where needed: G307: Deferring unsafe method "*os.File" on type "Close")
|
|
- G504 # G504: Blocklisted import net/http/cgi: Go versions < 1.6.3 are vulnerable to Httpoxy attack: (CVE-2016-5386); (only affects go < 1.6.3)
|
|
|
|
govet:
|
|
enable-all: true
|
|
disable:
|
|
- fieldalignment # TODO: evaluate which ones should be updated.
|
|
|
|
importas:
|
|
# Do not allow unaliased imports of aliased packages.
|
|
no-unaliased: true
|
|
|
|
alias:
|
|
# Enforce alias to prevent it accidentally being used instead of our
|
|
# own errdefs package (or vice-versa).
|
|
- pkg: github.com/containerd/errdefs
|
|
alias: cerrdefs
|
|
- pkg: github.com/containerd/containerd/images
|
|
alias: c8dimages
|
|
- pkg: github.com/opencontainers/image-spec/specs-go/v1
|
|
alias: ocispec
|
|
- pkg: github.com/moby/docker-image-spec/specs-go/v1
|
|
alias: dockerspec
|
|
- pkg: go.etcd.io/bbolt
|
|
alias: bolt
|
|
# Enforce that gotest.tools/v3/assert/cmp is always aliased as "is"
|
|
- pkg: gotest.tools/v3/assert/cmp
|
|
alias: is
|
|
|
|
nakedret:
|
|
# Disallow naked returns if func has more lines of code than this setting.
|
|
# Default: 30
|
|
max-func-lines: 0
|
|
|
|
revive:
|
|
# Only listed rules are applied
|
|
# https://github.com/mgechev/revive/blob/HEAD/RULES_DESCRIPTIONS.md
|
|
rules:
|
|
- name: increment-decrement
|
|
# FIXME make sure all packages have a description. Currently, there's many packages without.
|
|
- name: package-comments
|
|
disabled: true
|
|
- name: redefines-builtin-id
|
|
- name: superfluous-else
|
|
arguments:
|
|
- preserve-scope
|
|
- name: use-any
|
|
- name: use-errors-new
|
|
- name: var-declaration
|
|
|
|
staticcheck:
|
|
checks:
|
|
- all
|
|
- -QF1008 # Omit embedded fields from selector expression; https://staticcheck.dev/docs/checks/#QF1008
|
|
- -ST1000 # Incorrect or missing package comment; https://staticcheck.dev/docs/checks/#ST1000
|
|
- -ST1003 # Poorly chosen identifier; https://staticcheck.dev/docs/checks/#ST1003
|
|
- -ST1005 # Incorrectly formatted error string; https://staticcheck.dev/docs/checks/#ST1005
|
|
|
|
spancheck:
|
|
# Default: ["end"]
|
|
checks:
|
|
- end # check that `span.End()` is called
|
|
- record-error # check that `span.RecordError(err)` is called when an error is returned
|
|
- set-status # check that `span.SetStatus(codes.Error, msg)` is called when an error is returned
|
|
|
|
thelper:
|
|
test:
|
|
# Check *testing.T is first param (or after context.Context) of helper function.
|
|
first: false
|
|
# Check t.Helper() begins helper function.
|
|
begin: false
|
|
benchmark:
|
|
# Check *testing.B is first param (or after context.Context) of helper function.
|
|
first: false
|
|
# Check b.Helper() begins helper function.
|
|
begin: false
|
|
tb:
|
|
# Check *testing.TB is first param (or after context.Context) of helper function.
|
|
first: false
|
|
# Check *testing.TB param has name tb.
|
|
name: false
|
|
# Check tb.Helper() begins helper function.
|
|
begin: false
|
|
fuzz:
|
|
# Check *testing.F is first param (or after context.Context) of helper function.
|
|
first: false
|
|
# Check f.Helper() begins helper function.
|
|
begin: false
|
|
|
|
usestdlibvars:
|
|
# Suggest the use of http.MethodXX.
|
|
http-method: true
|
|
# Suggest the use of http.StatusXX.
|
|
http-status-code: true
|
|
|
|
exclusions:
|
|
rules:
|
|
# We prefer to use an "linters.exclusions.rules" so that new "default" exclusions are not
|
|
# automatically inherited. We can decide whether or not to follow upstream
|
|
# defaults when updating golang-ci-lint versions.
|
|
# Unfortunately, this means we have to copy the whole exclusion pattern, as
|
|
# (unlike the "include" option), the "exclude" option does not take exclusion
|
|
# ID's.
|
|
#
|
|
# These exclusion patterns are copied from the default excludes at:
|
|
# https://github.com/golangci/golangci-lint/blob/v1.61.0/pkg/config/issues.go#L11-L104
|
|
#
|
|
# The default list of exclusions can be found at:
|
|
# https://golangci-lint.run/usage/false-positives/#default-exclusions
|
|
|
|
# Exclude some linters from running on tests files.
|
|
- path: _test\.go
|
|
linters:
|
|
- errcheck
|
|
|
|
- text: "G404: Use of weak random number generator"
|
|
path: _test\.go
|
|
linters:
|
|
- gosec
|
|
|
|
# Suppress golint complaining about generated types in api/types/
|
|
- text: "type name will be used as (container|volume)\\.(Container|Volume).* by other packages, and that stutters; consider calling this"
|
|
path: "api/types/(volume|container)/"
|
|
linters:
|
|
- revive
|
|
|
|
# FIXME: ignoring unused assigns to ctx for now; too many hits in libnetwork/xxx functions that setup traces
|
|
- text: "assigned to ctx, but never used afterwards"
|
|
linters:
|
|
- wastedassign
|
|
|
|
- text: "ineffectual assignment to ctx"
|
|
source: "ctx[, ].*=.*\\(ctx[,)]"
|
|
linters:
|
|
- ineffassign
|
|
|
|
- text: "SA4006: this value of ctx is never used"
|
|
source: "ctx[, ].*=.*\\(ctx[,)]"
|
|
linters:
|
|
- staticcheck
|
|
|
|
# Ignore "nested context in function literal (fatcontext)" as we intentionally set up tracing on a base-context for tests.
|
|
# FIXME(thaJeztah): see if there's a more iodiomatic way to do this.
|
|
- text: 'nested context in function literal'
|
|
path: '((main|check)_(linux_|)test\.go)|testutil/helpers\.go'
|
|
linters:
|
|
- fatcontext
|
|
|
|
- text: '^shadow: declaration of "(ctx|err|ok)" shadows declaration'
|
|
linters:
|
|
- govet
|
|
- text: '^shadow: declaration of "(out)" shadows declaration'
|
|
path: _test\.go
|
|
linters:
|
|
- govet
|
|
- text: 'use of `regexp.MustCompile` forbidden'
|
|
path: _test\.go
|
|
linters:
|
|
- forbidigo
|
|
- text: 'use of `regexp.MustCompile` forbidden'
|
|
path: "daemon/internal/lazyregexp"
|
|
linters:
|
|
- forbidigo
|
|
- text: 'use of `regexp.MustCompile` forbidden'
|
|
path: "internal/testutils"
|
|
linters:
|
|
- forbidigo
|
|
- text: 'use of `regexp.MustCompile` forbidden'
|
|
path: "libnetwork/cmd/networkdb-test/dbclient"
|
|
linters:
|
|
- forbidigo
|
|
- text: 'use of `regexp.MustCompile` forbidden'
|
|
path: "registry/"
|
|
linters:
|
|
- forbidigo
|
|
|
|
# Log a warning if an exclusion rule is unused.
|
|
# Default: false
|
|
warn-unused: true
|
|
|
|
issues:
|
|
# Maximum issues count per one linter. Set to 0 to disable. Default is 50.
|
|
max-issues-per-linter: 0
|
|
|
|
# Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
|
|
max-same-issues: 0
|