Skip to content

Commit 53ba1ba

Browse files
committed
fix: exclude GO-2026-4865 (html/template XSS via grpc→net/trace)
GO-2026-4865 is reachable via grpc v1.79.3 → golang.org/x/net/trace → html/template.Template.Funcs. Fixed in go1.25.9 / go1.26.2. Excluded from enforcement until CI upgrades to go >= 1.25.9. https://claude.ai/code/session_018ji3prTSK6AKEFqRfZQbBQ
1 parent 873857a commit 53ba1ba

1 file changed

Lines changed: 9 additions & 8 deletions

File tree

.github/workflows/engine-ci.yml

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -67,22 +67,23 @@ jobs:
6767
# GO-2026-4887, GO-2026-4883
6868
#
6969
# Go standard library vulnerabilities fixed in go1.25.9 / go1.26.2 (released 2026-04-07).
70-
# Reachable via docker/docker (archive/tar) or crypto/tls (EmailSendConnector) in go < 1.25.9:
71-
# GO-2026-4869 (archive/tar: unbounded memory in sparse GNU tar archives)
72-
# GO-2026-4870 (crypto/tls: TLS 1.3 key-update deadlock)
73-
# GO-2026-4946 (crypto/x509: policy-validation DoS)
74-
# GO-2026-4947 (crypto/x509: certificate chain-building DoS)
75-
# Remove these four exclusions once CI upgrades to go >= 1.25.9.
70+
# Reachable in go < 1.25.9 via the listed call chains:
71+
# GO-2026-4865 (html/template: XSS via JS template literals) — grpc→net/trace→html/template
72+
# GO-2026-4869 (archive/tar: unbounded memory in sparse GNU tar archives) — docker/docker→archive/tar
73+
# GO-2026-4870 (crypto/tls: TLS 1.3 key-update deadlock) — EmailSendConnector→crypto/tls
74+
# GO-2026-4946 (crypto/x509: policy-validation DoS) — EmailSendConnector→crypto/tls→crypto/x509
75+
# GO-2026-4947 (crypto/x509: certificate chain-building DoS) — EmailSendConnector→crypto/tls→crypto/x509
76+
# Remove these five exclusions once CI upgrades to go >= 1.25.9.
7677
OUTPUT=$(govulncheck ./... 2>&1 || true)
7778
echo "$OUTPUT"
7879
# Emit each actionable vulnerability ID as a GHA error annotation for visibility.
7980
ALL_IDS=$(echo "$OUTPUT" | grep -oE 'GO-[0-9]+-[0-9]+' | sort -u || true)
8081
echo "govulncheck IDs found: ${ALL_IDS:-none}"
81-
ACTIONABLE_IDS=$(echo "$ALL_IDS" | grep -vE '^(GO-2026-4887|GO-2026-4883|GO-2026-4869|GO-2026-4870|GO-2026-4946|GO-2026-4947)$' || true)
82+
ACTIONABLE_IDS=$(echo "$ALL_IDS" | grep -vE '^(GO-2026-4887|GO-2026-4883|GO-2026-4865|GO-2026-4869|GO-2026-4870|GO-2026-4946|GO-2026-4947)$' || true)
8283
for ID in $ACTIONABLE_IDS; do
8384
echo "::error file=go.mod,line=1,title=Unfixed vulnerability::$ID — add to exclusion list or upgrade the affected dependency"
8485
done
85-
ACTIONABLE=$(echo "$OUTPUT" | grep -E '^Vulnerability #[0-9]+:' | grep -vE 'GO-2026-4887|GO-2026-4883|GO-2026-4869|GO-2026-4870|GO-2026-4946|GO-2026-4947' || true)
86+
ACTIONABLE=$(echo "$OUTPUT" | grep -E '^Vulnerability #[0-9]+:' | grep -vE 'GO-2026-4887|GO-2026-4883|GO-2026-4865|GO-2026-4869|GO-2026-4870|GO-2026-4946|GO-2026-4947' || true)
8687
if [ -n "$ACTIONABLE" ]; then
8788
exit 1
8889
fi

0 commit comments

Comments
 (0)