Skip to content

grpc: enforce strict path checking for incoming requests on the server#8987

Merged
easwars merged 2 commits intogrpc:v1.80.xfrom
easwars:v1.80.x
Mar 23, 2026
Merged

grpc: enforce strict path checking for incoming requests on the server#8987
easwars merged 2 commits intogrpc:v1.80.xfrom
easwars:v1.80.x

Conversation

@easwars
Copy link
Copy Markdown
Contributor

@easwars easwars commented Mar 18, 2026

RELEASE NOTES:

  • server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like grpc/authz. Any request with a non-canonical path is now immediately rejected with an Unimplemented error.

@easwars
grpc: enforce strict path checking for incoming requests on the server (
8091efd 
grpc#8985)

RELEASE NOTES:
* server: fix an authorization bypass where malformed :path headers
(missing the leading slash) could bypass path-based restricted "deny"
rules in interceptors like `grpc/authz`. Any request with a
non-canonical path is now immediately rejected with an `Unimplemented`
error.
@easwars easwars added the Type: Security A bug or other problem affecting security label Mar 18, 2026
@easwars easwars added this to the 1.80 Release milestone Mar 18, 2026
@easwars easwars requested a review from dfawley March 18, 2026 07:04
@eshitachandwani @easwars
xds: regenrate expired SPIFFE certs (grpc#8963)
4d9a3ad 
This PR regenerates the expired SPIFFE certs and changes the expiry time
to 10 years.
This PR also corrects the `README.md` which had 1 type and one wrong
script name.

RELEASE NOTES: None
@codecov
Copy link
Copy Markdown

codecov Bot commented Mar 18, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 61.53846% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 83.20%. Comparing base (b6597b3) to head (4d9a3ad).
⚠️ Report is 1 commits behind head on v1.80.x.

Files with missing lines Patch % Lines
server.go 61.53% 7 Missing and 3 partials ⚠️
Additional details and impacted files 
@@             Coverage Diff             @@
##           v1.80.x    #8987      +/-   ##
===========================================
- Coverage    83.42%   83.20%   -0.22%     
===========================================
  Files          410      410              
  Lines        32572    32586      +14     
===========================================
- Hits         27172    27114      -58     
- Misses        4030     4073      +43     
- Partials      1370     1399      +29
Files with missing lines Coverage Δ
internal/envconfig/envconfig.go 100.00% <ø> (ø)
server.go 82.48% <61.53%> (-0.25%) ⬇️

... and 30 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@dfawley dfawley assigned easwars and unassigned dfawley Mar 23, 2026
@easwars easwars merged commit bd7cd3c into grpc:v1.80.x Mar 23, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dfawley dfawley dfawley approved these changes

Assignees

@easwars easwars

Labels

Type: Security A bug or other problem affecting security

Projects

None yet

Milestone

1.80 Release

Development

Successfully merging this pull request may close these issues.

3 participants

@easwars @dfawley @eshitachandwani