-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Bump pgx to v5.10.0 (CWE-306) #10898
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -31,7 +31,7 @@ require ( | |
| github.com/gorilla/mux v1.8.1 | ||
| github.com/grpc-ecosystem/grpc-gateway/v2 v2.29.0 | ||
| github.com/iancoleman/strcase v0.3.0 | ||
| github.com/jackc/pgx/v5 v5.9.2 | ||
| github.com/jackc/pgx/v5 v5.10.0 | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If I understand it correctly this is for giving the capability of enforcing a client side check for the auth config on the postgresql server side. (and I guess not even sure this is CWE306) If so, I don't feel this is something we need to issue a security patch release for? wdyt?
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, that's my understaning as well. Don't think we need a security patch. |
||
| github.com/jmoiron/sqlx v1.4.0 | ||
| github.com/jstemmer/go-junit-report/v2 v2.1.0 | ||
| github.com/lib/pq v1.12.3 | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For deployments using
postgres12_pgxwithout an explicitconnectAttributes.require_auth, this bump does not actually restrict PostgreSQL authentication methods:buildDSNAttronly emits user-supplied connect attributes plus the defaultsslmode, and pgx v5.10.0 leavesRequireAuthempty unless the DSN containsrequire_auth, so all server-requested auth methods are still accepted. Since this commit is the CWE-306 remediation, Temporal should set a saferequire_authin the generated DSN or expose a first-class default; otherwise the downgrade-to-cleartext-password scenario remains on the default pgx path.Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We already have a way to set
require_authon ConnectAttributes. We can't set the default since we have variation in use cases.