[extension/bearertokenauth] use constant time comparison #34516
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
codeboten
commented
Aug 8, 2024
codeboten
commented
- clarify error message in case of missing header
- don't use implementation code to verify expectations in tests
- format header value ahead of time, rather than on every use, to avoid allocations
- consistently synchronise access to header value for both client and server authenticators (now using sync/atomic.Value rather than RWMutex)
- clarify error message in case of missing header - don't use implementation code to verify expectations in tests - format header value ahead of time, rather than on every use, to avoid allocations - consistently synchronise access to header value for both client and server authenticators (now using sync/atomic.Value rather than RWMutex)
arminru
changed the title
mx-psi
approved these changes
Aug 8, 2024
evan-bradley
approved these changes
Aug 8, 2024
arminru
approved these changes
Aug 8, 2024
This was referenced Aug 13, 2024
dmathieu
referenced
this pull request
in open-telemetry/opentelemetry-go
Aug 19, 2024
…o v0.107.0 (#5710) [](https://renovatebot.com) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [otel/opentelemetry-collector-contrib](https://togithub.com/open-telemetry/opentelemetry-collector-releases) | minor | `0.106.1` -> `0.107.0` | --- ### Release Notes <details> <summary>open-telemetry/opentelemetry-collector-releases (otel/opentelemetry-collector-contrib)</summary> ### [`v0.107.0`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/releases/tag/v0.107.0) [Compare Source](https://togithub.com/open-telemetry/opentelemetry-collector-releases/compare/v0.106.1...v0.107.0) Check the [v0.107.0 contrib changelog](https://togithub.com/open-telemetry/opentelemetry-collector-contrib/releases/tag/v0.107.0) and the [v0.107.0 core changelog](https://togithub.com/open-telemetry/opentelemetry-collector/releases/tag/v0.107.0) for changelogs on specific components. This release fixes CVE-2024-42368 on the bearerauthtokenextension ([https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34516](https://togithub.com/open-telemetry/opentelemetry-collector-contrib/pull/34516)). ##### Changelog - [`6bb8682`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/6bb86822416b97ed8be442477ad2e95cb33a0970) Prepare 0.107.0 release ([#​636](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/636)) - [`9fe2ba4`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/9fe2ba421e19bce91e7f8ecf15985e4016dd0dba) Bump sigstore/cosign-installer from 3.5.0 to 3.6.0 ([#​634](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/634)) - [`b7cb307`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/b7cb307fb354aba7624faf20887f59c2859ea6e2) Bump actions/upload-artifact from 4.3.4 to 4.3.6 ([#​635](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/635)) - [`cd2dacc`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/cd2dacc22b2bb72df2c3524e4f1bc44297984aab) Migrate ocb binary release to opentelemetry-collector-releases ([#​608](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/608)) - [`73a756f`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/73a756f723721dd5c9a21beae765670609ba40a0) fix linux package dependencies ([#​620](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/620)) - [`5342205`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/534220564ca848bb4df1cae60a145740d22a19c1) Add /bin/sh dependency to linux packages ([#​617](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/617)) - [`efc0813`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/efc081348fd3da9c7b5617dcaaf41641f42db3dd) \[chore] move package tests from contrib repo to this repo ([#​604](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/604)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View the [repository job log](https://developer.mend.io/github/open-telemetry/opentelemetry-go). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4yNi4xIiwidXBkYXRlZEluVmVyIjoiMzguMjYuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiU2tpcCBDaGFuZ2Vsb2ciLCJkZXBlbmRlbmNpZXMiXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
XSAM
referenced
this pull request
in XSAM/otelsql
Aug 27, 2024
) [](https://renovatebot.com) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [otel/opentelemetry-collector-contrib](https://togithub.com/open-telemetry/opentelemetry-collector-releases) | minor | `0.105.0` -> `0.108.0` | --- ### Release Notes <details> <summary>open-telemetry/opentelemetry-collector-releases (otel/opentelemetry-collector-contrib)</summary> ### [`v0.108.0`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/releases/tag/v0.108.0) Check the [v0.108.0 contrib changelog](https://togithub.com/open-telemetry/opentelemetry-collector-contrib/releases/tag/v0.108.0) and the [v0.108.0 core changelog](https://togithub.com/open-telemetry/opentelemetry-collector/releases/tag/v0.108.0) for changelogs on specific components. #### Changelog - [`bef563e`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/bef563ebb0f3a73fb8681d4ca4178ddf244042b6) \[chore] prepare v0.108.0 release ([#​650](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/650)) - [`9f7aa60`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/9f7aa60ccb871bab6e5ad76e3a4c4a31e7f25370) contrib: add deltatocumulative ([#​647](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/647)) - [`d86f03d`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/d86f03d6116e1753adc4ff1ab1f327d19263226d) Bump anchore/sbom-action from 0.17.1 to 0.17.2 ([#​648](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/648)) - [`ae09f1c`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/ae09f1c95ff57be3507678da85fb9ddac8eb540e) add geoip processor to contrib ([#​646](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/646)) - [`cd82e6f`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/cd82e6fd703ac4733ab8800d177d08452de990e6) Remove ballast extension ([#​607](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/607)) - [`2bafff8`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/2bafff863f53630ba01b0cb809e1dac965b492eb) Bump docker/setup-buildx-action from 3.5.0 to 3.6.1 ([#​628](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/628)) - [`45130cf`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/45130cf417eea3228a299d92a44165b1198282cd) Bump anchore/sbom-action from 0.17.0 to 0.17.1 ([#​644](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/644)) - [`5bbfb51`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/5bbfb51ebc9861b72c40476f9ecda8a9ed0bca92) Bump github.com/goreleaser/goreleaser-pro/v2 from 2.1.0-pro to 2.2.0-pro ([#​645](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/645)) - [`fbe9653`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/fbe96534081a5ea85bc16ccd558f96cd24658c9f) Bump to Go 1.23 for all builds ([#​638](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/638)) - [`9c8c699`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/9c8c699de1a756c7b99a1188f8db68bb6540116e) Update .goreleaser.yml ([#​643](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/643)) - [`de92512`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/de92512197c429960163d486b55825ef778a1761) Jackgopack4/go1.23 ci fix ([#​641](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/641)) - [`4c7310f`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/4c7310fe699387ea5cce55f393a6ac806339165e) Fix goreleaser ci ([#​640](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/640)) ### [`v0.107.0`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/releases/tag/v0.107.0) [Compare Source](https://togithub.com/open-telemetry/opentelemetry-collector-releases/compare/v0.106.1...v0.107.0) Check the [v0.107.0 contrib changelog](https://togithub.com/open-telemetry/opentelemetry-collector-contrib/releases/tag/v0.107.0) and the [v0.107.0 core changelog](https://togithub.com/open-telemetry/opentelemetry-collector/releases/tag/v0.107.0) for changelogs on specific components. This release fixes CVE-2024-42368 on the bearerauthtokenextension ([https://github.com/open-telemetry/opentelemetry-collector-contrib/pull/34516](https://togithub.com/open-telemetry/opentelemetry-collector-contrib/pull/34516)). ##### Changelog - [`6bb8682`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/6bb86822416b97ed8be442477ad2e95cb33a0970) Prepare 0.107.0 release ([#​636](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/636)) - [`9fe2ba4`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/9fe2ba421e19bce91e7f8ecf15985e4016dd0dba) Bump sigstore/cosign-installer from 3.5.0 to 3.6.0 ([#​634](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/634)) - [`b7cb307`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/b7cb307fb354aba7624faf20887f59c2859ea6e2) Bump actions/upload-artifact from 4.3.4 to 4.3.6 ([#​635](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/635)) - [`cd2dacc`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/cd2dacc22b2bb72df2c3524e4f1bc44297984aab) Migrate ocb binary release to opentelemetry-collector-releases ([#​608](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/608)) - [`73a756f`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/73a756f723721dd5c9a21beae765670609ba40a0) fix linux package dependencies ([#​620](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/620)) - [`5342205`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/534220564ca848bb4df1cae60a145740d22a19c1) Add /bin/sh dependency to linux packages ([#​617](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/617)) - [`efc0813`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/efc081348fd3da9c7b5617dcaaf41641f42db3dd) \[chore] move package tests from contrib repo to this repo ([#​604](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/604)) ### [`v0.106.1`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/releases/tag/v0.106.1) [Compare Source](https://togithub.com/open-telemetry/opentelemetry-collector-releases/compare/v0.106.0...v0.106.1) Check the [v0.106.1 contrib changelog](https://togithub.com/open-telemetry/opentelemetry-collector-contrib/releases/tag/v0.106.1) and the [v0.106.1 core changelog](https://togithub.com/open-telemetry/opentelemetry-collector/releases/tag/v0.106.1) for changelogs on specific components. ##### Changelog - [`ee3f3cc`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/ee3f3cc8039fad89c962cd34f0d2b8b4babfa40d) Prepare release v0.106.1 ([#​619](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/619)) ### [`v0.106.0`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/releases/tag/v0.106.0) [Compare Source](https://togithub.com/open-telemetry/opentelemetry-collector-releases/compare/v0.105.0...v0.106.0) Check the [v0.106.0 contrib changelog](https://togithub.com/open-telemetry/opentelemetry-collector-contrib/releases/tag/v0.106.0) and the [v0.106.0 core changelog](https://togithub.com/open-telemetry/opentelemetry-collector/releases/tag/v0.106.0) for changelogs on specific components. ##### Changelog - [`1e67d14`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/1e67d14d30857b5306c7ff4c1091648eaf1497cc) Prepare release v0.106.0 ([#​615](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/615)) - [`a13cff5`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/a13cff51c124c20a8d423683f90a633298b5fe9e) fix some broken conditionals in pipelines ([#​610](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/610)) - [`34bc10d`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/34bc10d950b71a0d42bf71d84d340e4b388849b8) Bump docker/setup-buildx-action from 3.4.0 to 3.5.0 ([#​612](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/612)) - [`c75880c`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/c75880c15b99f58decb99f8f93901a4a2c6f6ebf) Bump docker/setup-qemu-action from 3.1.0 to 3.2.0 ([#​613](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/613)) - [`10e46e7`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/10e46e74de356add246bf3c52b7c59d5159624ef) Bump docker/login-action from 3.2.0 to 3.3.0 ([#​614](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/614)) - [`3148572`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/3148572998c8f343960da3d727fca0834e406593) update remaining goreleaser usages to v2 ([#​609](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/609)) - [`4d6e084`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/4d6e08471090ceecbf5ef0bbfc5ec70cae23f42d) Bump anchore/sbom-action from 0.16.1 to 0.17.0 ([#​605](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/605)) - [`19d291d`](https://togithub.com/open-telemetry/opentelemetry-collector-releases/commit/19d291d72811b3b8623ccd2296b78a44f0212fca) Update go to 1.22 ([#​600](https://togithub.com/open-telemetry/opentelemetry-collector-releases/issues/600)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View the [repository job log](https://developer.mend.io/github/XSAM/otelsql). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM4LjI2LjEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
1 task
f7o
pushed a commit
to f7o/opentelemetry-collector-contrib
that referenced
this pull request
Sep 12, 2024
](https://renovatebot.com){kind=link}
…try#34516) - clarify error message in case of missing header - don't use implementation code to verify expectations in tests - format header value ahead of time, rather than on every use, to avoid allocations - consistently synchronise access to header value for both client and server authenticators (now using sync/atomic.Value rather than RWMutex) --------- Signed-off-by: Alex Boten <223565+codeboten@users.noreply.github.com> Co-authored-by: Andrew Wilkins <axw@elastic.co>
This was referenced Sep 25, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.