From 3c7eec13dec6a064038024bdd382a38c925d0035 Mon Sep 17 00:00:00 2001 From: Chi Wang Date: Tue, 11 Oct 2022 22:44:51 +0200 Subject: [PATCH 1/2] Update GrpcRemoteDownloader to only include relevant headers. (#16450) Fixes https://github.com/bazelbuild/bazel/security/advisories/GHSA-mxr8-q875-rhwq. RELNOTES[INC]: GrpcRemoteDownloader only includes relevant headers instead of sending all credentials. Closes #16439. PiperOrigin-RevId: 480069164 Change-Id: I49950311c04d1997d26832431d531a9036efdb18 Co-authored-by: kshyanashree <109167932+kshyanashree@users.noreply.github.com> --- .../remote/downloader/GrpcRemoteDownloader.java | 16 +++++++++++++--- .../downloader/GrpcRemoteDownloaderTest.java | 3 --- 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/src/main/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloader.java b/src/main/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloader.java index a0bc56b0b12d6e..aa4d3ffafb721c 100644 --- a/src/main/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloader.java +++ b/src/main/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloader.java @@ -23,6 +23,7 @@ import build.bazel.remote.execution.v2.RequestMetadata; import com.google.common.annotations.VisibleForTesting; import com.google.common.base.Strings; +import com.google.common.collect.ImmutableSet; import com.google.devtools.build.lib.bazel.repository.downloader.Checksum; import com.google.devtools.build.lib.bazel.repository.downloader.Downloader; import com.google.devtools.build.lib.bazel.repository.downloader.HashOutputStream; @@ -165,7 +166,7 @@ static FetchBlobRequest newFetchBlobRequest( requestBuilder.addQualifiers( Qualifier.newBuilder() .setName(QUALIFIER_AUTH_HEADERS) - .setValue(authHeadersJson(authHeaders)) + .setValue(authHeadersJson(urls, authHeaders)) .build()); } @@ -190,15 +191,24 @@ private OutputStream newOutputStream( return out; } - private static String authHeadersJson(Map> authHeaders) { + private static String authHeadersJson( + List urls, Map> authHeaders) { + ImmutableSet hostSet = + urls.stream().map(URL::getHost).collect(ImmutableSet.toImmutableSet()); Map subObjects = new TreeMap<>(); for (Map.Entry> entry : authHeaders.entrySet()) { + URI uri = entry.getKey(); + // Only add headers that are relevant to the hosts. + if (!hostSet.contains(uri.getHost())) { + continue; + } + JsonObject subObject = new JsonObject(); Map orderedHeaders = new TreeMap<>(entry.getValue()); for (Map.Entry subEntry : orderedHeaders.entrySet()) { subObject.addProperty(subEntry.getKey(), subEntry.getValue()); } - subObjects.put(entry.getKey().toString(), subObject); + subObjects.put(uri.toString(), subObject); } JsonObject authHeadersJson = new JsonObject(); diff --git a/src/test/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloaderTest.java b/src/test/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloaderTest.java index f8a24ff79ec90d..cadba3c642012e 100644 --- a/src/test/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloaderTest.java +++ b/src/test/java/com/google/devtools/build/lib/remote/downloader/GrpcRemoteDownloaderTest.java @@ -321,9 +321,6 @@ public void testFetchBlobRequest() throws Exception { + "\"http://example.com\":{" + "\"Another-Header\":\"another header content\"," + "\"Some-Header\":\"some header content\"" - + "}," - + "\"http://example.org\":{" - + "\"Org-Header\":\"org header content\"" + "}" + "}"; From 8cddbe970c397ed63f2a0c6536f48f69094401a3 Mon Sep 17 00:00:00 2001 From: Chi Wang Date: Wed, 12 Oct 2022 17:20:26 +0200 Subject: [PATCH 2/2] Use bazel 4.2.2 in Bazel CI --- .bazelci/build_bazel_binaries.yml | 12 ++++++++++++ .bazelci/postsubmit.yml | 17 +++++++++++++++++ .bazelci/presubmit.yml | 15 +++++++++++++++ 3 files changed, 44 insertions(+) diff --git a/.bazelci/build_bazel_binaries.yml b/.bazelci/build_bazel_binaries.yml index 5ff3e1796eb7c5..9ed4d3aac1cf74 100644 --- a/.bazelci/build_bazel_binaries.yml +++ b/.bazelci/build_bazel_binaries.yml @@ -1,6 +1,8 @@ --- platforms: centos7_java11_devtoolset10: + environment: + USE_BAZEL_VERSION: 4.2.2 build_targets: - "//src:bazel" - "//src:bazel_nojdk" @@ -8,6 +10,8 @@ platforms: - "-c" - "opt" ubuntu1604: + environment: + USE_BAZEL_VERSION: 4.2.2 build_targets: - "//src:bazel" - "//src:bazel_nojdk" @@ -15,6 +19,8 @@ platforms: - "-c" - "opt" ubuntu1804: + environment: + USE_BAZEL_VERSION: 4.2.2 build_targets: - "//src:bazel" - "//src:bazel_nojdk" @@ -22,6 +28,8 @@ platforms: - "-c" - "opt" ubuntu2004: + environment: + USE_BAZEL_VERSION: 4.2.2 build_targets: - "//src:bazel" - "//src:bazel_nojdk" @@ -29,6 +37,8 @@ platforms: - "-c" - "opt" macos: + environment: + USE_BAZEL_VERSION: 4.2.2 build_targets: - "//src:bazel" - "//src:bazel_nojdk" @@ -36,6 +46,8 @@ platforms: - "-c" - "opt" windows: + environment: + USE_BAZEL_VERSION: 4.2.2 build_flags: - "--copt=-w" - "--host_copt=-w" diff --git a/.bazelci/postsubmit.yml b/.bazelci/postsubmit.yml index 548a1917ad5ab6..b7ff475635bda6 100644 --- a/.bazelci/postsubmit.yml +++ b/.bazelci/postsubmit.yml @@ -1,6 +1,8 @@ --- tasks: centos7_java11_devtoolset10: + environment: + USE_BAZEL_VERSION: 4.2.2 shell_commands: - sed -i.bak -e 's/^# android_sdk_repository/android_sdk_repository/' -e 's/^# android_ndk_repository/android_ndk_repository/' WORKSPACE @@ -45,6 +47,8 @@ tasks: - build - test ubuntu1604: + environment: + USE_BAZEL_VERSION: 4.2.2 shell_commands: - sed -i.bak -e 's/^# android_sdk_repository/android_sdk_repository/' -e 's/^# android_ndk_repository/android_ndk_repository/' WORKSPACE @@ -81,6 +85,8 @@ tasks: - build - test ubuntu1804: + environment: + USE_BAZEL_VERSION: 4.2.2 shell_commands: - sed -i.bak -e 's/^# android_sdk_repository/android_sdk_repository/' -e 's/^# android_ndk_repository/android_ndk_repository/' WORKSPACE @@ -121,6 +127,7 @@ tasks: ubuntu1804_clang: platform: ubuntu1804 environment: + USE_BAZEL_VERSION: 4.2.2 CC: clang CC_CONFIGURE_DEBUG: 1 name: "Clang" @@ -148,6 +155,8 @@ tasks: - build - test ubuntu2004: + environment: + USE_BAZEL_VERSION: 4.2.2 shell_commands: - sed -i.bak -e 's/^# android_sdk_repository/android_sdk_repository/' -e 's/^# android_ndk_repository/android_ndk_repository/' WORKSPACE @@ -194,6 +203,8 @@ tasks: - build - test macos: + environment: + USE_BAZEL_VERSION: 4.2.2 shell_commands: - sed -i.bak -e 's/^# android_sdk_repository/android_sdk_repository/' -e 's/^# android_ndk_repository/android_ndk_repository/' WORKSPACE @@ -232,6 +243,8 @@ tasks: - build - test windows: + environment: + USE_BAZEL_VERSION: 4.2.2 batch_commands: - powershell -Command "(Get-Content WORKSPACE) -Replace '# android_', 'android_' | Set-Content WORKSPACE" build_flags: @@ -256,6 +269,8 @@ tasks: - build - test rbe_ubuntu1604: + environment: + USE_BAZEL_VERSION: 4.2.2 shell_commands: - sed -i.bak -e 's/^# android_sdk_repository/android_sdk_repository/' -e 's/^# android_ndk_repository/android_ndk_repository/' @@ -268,6 +283,8 @@ tasks: include_json_profile: - build kythe_ubuntu2004: + environment: + USE_BAZEL_VERSION: 4.2.2 shell_commands: - sed -i.bak -e 's/^# android_sdk_repository/android_sdk_repository/' -e 's/^# android_ndk_repository/android_ndk_repository/' WORKSPACE diff --git a/.bazelci/presubmit.yml b/.bazelci/presubmit.yml index d9674469863987..863a614b65f3b0 100644 --- a/.bazelci/presubmit.yml +++ b/.bazelci/presubmit.yml @@ -1,6 +1,8 @@ --- tasks: centos7_java11_devtoolset10: + environment: + USE_BAZEL_VERSION: 4.2.2 shards: 4 shell_commands: - sed -i.bak -e 's/^# android_sdk_repository/android_sdk_repository/' -e 's/^# @@ -43,6 +45,8 @@ tasks: - "-//src/test/shell/bazel:bazel_coverage_cc_head_test_gcc" - "-//src/test/shell/bazel:bazel_coverage_sh_test" ubuntu1604: + environment: + USE_BAZEL_VERSION: 4.2.2 shards: 4 shell_commands: - sed -i.bak -e 's/^# android_sdk_repository/android_sdk_repository/' -e 's/^# @@ -77,6 +81,8 @@ tasks: - "-//src/java_tools/buildjar/..." - "-//src/java_tools/import_deps_checker/..." ubuntu1804: + environment: + USE_BAZEL_VERSION: 4.2.2 shards: 4 shell_commands: - sed -i.bak -e 's/^# android_sdk_repository/android_sdk_repository/' -e 's/^# @@ -115,6 +121,7 @@ tasks: ubuntu1804_clang: platform: ubuntu1804 environment: + USE_BAZEL_VERSION: 4.2.2 CC: clang CC_CONFIGURE_DEBUG: 1 name: "Clang" @@ -139,6 +146,8 @@ tasks: test_targets: - "//src/test/shell/bazel:cc_integration_test" ubuntu2004: + environment: + USE_BAZEL_VERSION: 4.2.2 shards: 4 shell_commands: - sed -i.bak -e 's/^# android_sdk_repository/android_sdk_repository/' -e 's/^# @@ -183,6 +192,8 @@ tasks: - "-//src/test/shell/bazel:bazel_coverage_cc_head_test_gcc" - "-//src/test/shell/bazel/android:android_ndk_integration_test_with_head_android_tools" macos: + environment: + USE_BAZEL_VERSION: 4.2.2 shards: 5 shell_commands: - sed -i.bak -e 's/^# android_sdk_repository/android_sdk_repository/' -e 's/^# @@ -222,6 +233,8 @@ tasks: # C++ coverage is not supported on macOS yet. - "-//src/test/shell/bazel:bazel_cc_code_coverage_test" windows: + environment: + USE_BAZEL_VERSION: 4.2.2 shards: 4 batch_commands: - powershell -Command "(Get-Content WORKSPACE) -Replace '# android_', 'android_' | Set-Content WORKSPACE" @@ -244,6 +257,8 @@ tasks: test_targets: - "//src:all_windows_tests" rbe_ubuntu1604: + environment: + USE_BAZEL_VERSION: 4.2.2 shell_commands: - sed -i.bak -e 's/^# android_sdk_repository/android_sdk_repository/' -e 's/^# android_ndk_repository/android_ndk_repository/' WORKSPACE