Merge branch 'release/1.21.x' into backport/sanikachavan5/upgrade-golang-to-latest-patch/poorly-pleasing-lion

panman90 · web-flow · commit 35af0e647f7f · 2025-10-27T12:19:48.000+05:30
diff --git a/.changelog/22836.txt b/.changelog/22836.txt
@@ -0,0 +1,3 @@
+```release-note:security
+security: adding a maximum Content-Length on the event endpoint to fix denial-of-service (DoS) attacks. This resolves [CVE-2025-11375](https://nvd.nist.gov/vuln/detail/CVE-2025-11375).
+```
diff --git a/.changelog/22916.txt b/.changelog/22916.txt
@@ -0,0 +1,3 @@
+```release-note:security
+security: Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacks[CVE-2025-11374]()
+```
diff --git a/agent/event_endpoint.go b/agent/event_endpoint.go
@@ -5,6 +5,7 @@ package agent
 
 import (
 	"bytes"
+	"fmt"
 	"io"
 	"net/http"
 	"strconv"
@@ -44,12 +45,29 @@ func (s *HTTPHandlers) EventFire(resp http.ResponseWriter, req *http.Request) (i
 	}
 
 	// Get the payload
-	if req.ContentLength > 0 {
+	if req.ContentLength >= 0 {
+		// The underlying gossip sets limits on the size of a user event
+		// message. It is hard to give an exact number, as it depends on various
+		// parameters of the event, but the payload should be kept very small
+		// (< 100 bytes). We've multiplied this by 3 to be safe.
+		const maxEventPayloadSize = 300
+		if req.ContentLength > maxEventPayloadSize {
+			return nil, HTTPError{
+				StatusCode: http.StatusRequestEntityTooLarge,
+				Reason: fmt.Sprintf("Event payload too large, received %d bytes, max size: %d bytes. User events should be kept small for efficient gossip propagation.",
+					req.ContentLength, maxEventPayloadSize),
+			}
+		}
+
 		var buf bytes.Buffer
-		if _, err := io.Copy(&buf, req.Body); err != nil {
-			return nil, err
+		if req.Body != nil {
+			if _, err := io.Copy(&buf, req.Body); err != nil {
+				return nil, err
+			}
+			event.Payload = buf.Bytes()
 		}
-		event.Payload = buf.Bytes()
+	} else {
+		return nil, HTTPError{StatusCode: http.StatusBadRequest, Reason: "Event payload size must be greater than zero"}
 	}
 
 	// Try to fire the event
diff --git a/agent/event_endpoint_test.go b/agent/event_endpoint_test.go
@@ -379,6 +379,125 @@ func TestEventList_EventBufOrder(t *testing.T) {
 	})
 }
 
+func TestEventFire_PayloadSizeLimit(t *testing.T) {
+	if testing.Short() {
+		t.Skip("too slow for testing.Short")
+	}
+
+	t.Parallel()
+	a := NewTestAgent(t, "")
+	defer a.Shutdown()
+	testrpc.WaitForTestAgent(t, a.RPC, "dc1")
+
+	const maxPayloadSize = 300
+
+	type expectedResponse struct {
+		success      bool
+		statusCode   int
+		errorMessage string
+		eventName    string
+		payloadSize  int
+	}
+
+	testCases := []struct {
+		name             string
+		payloadSize      int
+		expectedResponse *expectedResponse
+		description      string
+	}{
+		{
+			name:        "empty payload",
+			payloadSize: 0,
+			expectedResponse: &expectedResponse{
+				success:     true,
+				eventName:   "test",
+				payloadSize: 0,
+			},
+			description: "empty payload should be accepted",
+		},
+		{
+			name:        "payload within limit",
+			payloadSize: 50,
+			expectedResponse: &expectedResponse{
+				success:     true,
+				eventName:   "test",
+				payloadSize: 50,
+			},
+			description: "small payload should be accepted",
+		},
+		{
+			name:        "payload at exact limit",
+			payloadSize: maxPayloadSize,
+			expectedResponse: &expectedResponse{
+				success:     true,
+				eventName:   "test",
+				payloadSize: maxPayloadSize,
+			},
+			description: "payload at exactly 300 bytes should be accepted",
+		},
+		{
+			name:        "payload exceeds limit by 1 byte",
+			payloadSize: maxPayloadSize + 1,
+			expectedResponse: &expectedResponse{
+				statusCode:   http.StatusRequestEntityTooLarge,
+				errorMessage: "Event payload too large",
+			},
+			description: "payload exceeding limit should be rejected",
+		},
+		{
+			name:        "large payload",
+			payloadSize: 500,
+			expectedResponse: &expectedResponse{
+				statusCode:   http.StatusRequestEntityTooLarge,
+				errorMessage: "Event payload too large",
+			},
+			description: "large payload should be rejected",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			var payload []byte
+			if tc.payloadSize <= 0 {
+				payload = []byte{}
+			} else {
+				payload = bytes.Repeat([]byte("x"), tc.payloadSize)
+			}
+
+			url := "/v1/event/fire/test"
+			req, err := http.NewRequest("PUT", url, bytes.NewBuffer(payload))
+			require.NoError(t, err)
+
+			resp := httptest.NewRecorder()
+			obj, err := a.srv.EventFire(resp, req)
+
+			if tc.expectedResponse.success {
+				require.NoError(t, err, tc.description)
+				require.NotNil(t, obj, "Should return event object on success")
+
+				event, ok := obj.(*UserEvent)
+				require.True(t, ok, "Expected *UserEvent, got %T", obj)
+				require.Equal(t, tc.expectedResponse.eventName, event.Name)
+
+				if tc.expectedResponse.payloadSize == 0 {
+					// Empty payload should result in nil
+					require.Nil(t, event.Payload)
+				} else {
+					expectedPayload := bytes.Repeat([]byte("x"), tc.expectedResponse.payloadSize)
+					require.Equal(t, expectedPayload, event.Payload)
+				}
+			} else {
+				require.Error(t, err, tc.description)
+				httpErr, ok := err.(HTTPError)
+				require.True(t, ok, "Expected HTTPError, got %T", err)
+				require.Equal(t, tc.expectedResponse.statusCode, httpErr.StatusCode)
+				require.Contains(t, httpErr.Reason, tc.expectedResponse.errorMessage)
+				require.Nil(t, obj, "Should not return event object on error")
+			}
+		})
+	}
+}
+
 func TestUUIDToUint64(t *testing.T) {
 	t.Parallel()
 	inp := "cb9a81ad-fff6-52ac-92a7-5f70687805ec"
diff --git a/agent/kvs_endpoint.go b/agent/kvs_endpoint.go
@@ -5,6 +5,7 @@ package agent
 
 import (
 	"bytes"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -238,19 +239,45 @@ func (s *HTTPHandlers) KVSPut(resp http.ResponseWriter, req *http.Request, args
 	}
 
 	// Check the content-length
-	if req.ContentLength > int64(s.agent.config.KVMaxValueSize) {
+	maxSize := int64(s.agent.config.KVMaxValueSize)
+	var buf *bytes.Buffer
+
+	switch {
+	case req.ContentLength <= 0 && req.Body == nil:
+		return "Request has no content-length & no body", nil
+
+	case req.ContentLength <= 0 && req.Body != nil:
+		// LimitReader to limit copy of large requests with no Content-Length
+		//+1 ensures we can detect if the body is too large
+		byteReader := http.MaxBytesReader(nil, req.Body, maxSize+1)
+		buf = new(bytes.Buffer)
+		if _, err := io.Copy(buf, byteReader); err != nil {
+			var bodyTooLargeErr *http.MaxBytesError
+			if errors.As(err, &bodyTooLargeErr) {
+				return nil, HTTPError{
+					StatusCode: http.StatusRequestEntityTooLarge,
+					Reason:     fmt.Sprintf("Request body too large. Max allowed is %d bytes.", maxSize),
+				}
+			}
+			return nil, err
+		}
+
+	case req.ContentLength > maxSize:
+		// Throw error if Content-Length is greater than max size
 		return nil, HTTPError{
 			StatusCode: http.StatusRequestEntityTooLarge,
 			Reason: fmt.Sprintf("Request body(%d bytes) too large, max size: %d bytes. See %s.",
-				req.ContentLength, s.agent.config.KVMaxValueSize, "https://developer.hashicorp.com/docs/agent/config/config-files#kv_max_value_size"),
+				req.ContentLength, maxSize, "https://developer.hashicorp.com/docs/agent/config/config-files#kv_max_value_size"),
 		}
-	}
 
-	// Copy the value
-	buf := bytes.NewBuffer(nil)
-	if _, err := io.Copy(buf, req.Body); err != nil {
-		return nil, err
+	default:
+		// Copy the value
+		buf = bytes.NewBuffer(nil)
+		if _, err := io.Copy(buf, req.Body); err != nil {
+			return nil, err
+		}
 	}
+
 	applyReq.DirEnt.Value = buf.Bytes()
 
 	// Make the RPC
diff --git a/agent/kvs_endpoint_test.go b/agent/kvs_endpoint_test.go
@@ -6,6 +6,7 @@ package agent
 import (
 	"bytes"
 	"fmt"
+	"io"
 	"net/http"
 	"net/http/httptest"
 	"path"
@@ -37,6 +38,7 @@ func TestKVSEndpoint_PUT_GET_DELETE(t *testing.T) {
 	for _, key := range keys {
 		buf := bytes.NewBuffer([]byte("test"))
 		req, _ := http.NewRequest("PUT", "/v1/kv/"+key, buf)
+		req.ContentLength = int64(buf.Len())
 		resp := httptest.NewRecorder()
 		obj, err := a.srv.KVSEndpoint(resp, req)
 		if err != nil {
@@ -554,6 +556,96 @@ func TestKVSEndpoint_GET(t *testing.T) {
 	}
 }
 
+func TestKVSPUT_SwitchCases(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping test in short mode")
+	}
+
+	t.Parallel()
+	a := NewTestAgent(t, "")
+	defer a.Shutdown()
+
+	maxSize := int(a.srv.agent.config.KVMaxValueSize)
+
+	tests := []struct {
+		name          string
+		body          string
+		contentLength int64
+		expectErr     bool
+		expectMsg     string
+		expectHTTPMsg string
+	}{
+		{
+			name:          "Case 2: No Content-Length but Body exists (allowed size)",
+			body:          "small-value",
+			contentLength: 0,
+			expectErr:     false,
+		},
+		{
+			name:          "Case 2b: No Content-Length but Body exists (too large)",
+			body:          strings.Repeat("x", maxSize+50),
+			contentLength: 0,
+			expectErr:     true,
+			expectHTTPMsg: fmt.Sprintf("Request body too large. Max allowed is %d bytes.", maxSize),
+		},
+		{
+			name:          "Case 3: Content-Length greater than max allowed limit",
+			body:          strings.Repeat("x", maxSize+10),
+			contentLength: int64(maxSize) + 10,
+			expectErr:     true,
+			expectHTTPMsg: fmt.Sprintf("Request body(%d bytes) too large, max size: %d bytes.", int64(maxSize)+10, maxSize),
+		},
+		{
+			name:          "Case 4: Normal body within allowed limit",
+			body:          "tiny",
+			contentLength: 4,
+			expectErr:     false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var bodyReader io.Reader
+			if tt.body != "" {
+				bodyReader = bytes.NewBufferString(tt.body)
+			} else {
+				bodyReader = nil
+			}
+
+			req := httptest.NewRequest(http.MethodPut, "/v1/kv/switch-test", bodyReader)
+			req.ContentLength = tt.contentLength
+			resp := httptest.NewRecorder()
+
+			obj, err := a.srv.KVSEndpoint(resp, req)
+
+			// Expected error cases
+			if tt.expectErr {
+				if err == nil {
+					t.Fatalf("expected error, got nil")
+				}
+				httpErr, ok := err.(HTTPError)
+				if !ok {
+					t.Fatalf("expected HTTPError, got %T", err)
+				}
+				if !strings.Contains(httpErr.Reason, tt.expectHTTPMsg[:20]) { // partial match
+					t.Fatalf("expected HTTPError reason to contain %q, got %q", tt.expectHTTPMsg, httpErr.Reason)
+				}
+				return
+			}
+
+			// Unexpected error
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+
+			// Normal successful PUT result
+			if res, ok := obj.(bool); !ok || !res {
+				t.Fatalf("expected successful PUT result, got %v", obj)
+			}
+		})
+	}
+}
+
 func TestKVSEndpoint_DELETE_ConflictingFlags(t *testing.T) {
 	if testing.Short() {
 		t.Skip("too slow for testing.Short")
diff --git a/ui/packages/consul-ui/app/mixins/with-blocking-actions.js b/ui/packages/consul-ui/app/mixins/with-blocking-actions.js
@@ -24,6 +24,7 @@ import { singularize } from 'ember-inflector';
  *
  */
 export default Mixin.create({
+  router: service('router'),
   _feedback: service('feedback'),
   settings: service('settings'),
   init: function () {
@@ -50,7 +51,7 @@ export default Mixin.create({
     // e.g. index or edit
     parts.pop();
     // e.g. dc.intentions, essentially go to the listings page
-    return this.transitionTo(parts.join('.'));
+    return this.router.transitionTo(parts.join('.'));
   },
   afterDelete: function (item) {
     // e.g. dc.intentions.index
@@ -63,7 +64,7 @@ export default Mixin.create({
         return this.refresh();
       default:
         // e.g. dc.intentions essentially do to the listings page
-        return this.transitionTo(parts.join('.'));
+        return this.router.transitionTo(parts.join('.'));
     }
   },
   errorCreate: function (type, e) {
diff --git a/ui/packages/consul-ui/app/routes/dc/kv/folder.js b/ui/packages/consul-ui/app/routes/dc/kv/folder.js
@@ -4,13 +4,16 @@
  */
 
 import Route from './index';
+import { inject as service } from '@ember/service';
 
 export default class FolderRoute extends Route {
+  @service router;
+
   beforeModel(transition) {
     super.beforeModel(...arguments);
     const params = this.paramsFor('dc.kv.folder');
     if (params.key === '/' || params.key == null) {
-      return this.transitionTo('dc.kv.index');
+      return this.router.transitionTo('dc.kv.index');
     }
   }
 }
diff --git a/ui/packages/consul-ui/app/routes/dc/kv/index.js b/ui/packages/consul-ui/app/routes/dc/kv/index.js
diff --git a/ui/packages/consul-ui/tests/unit/mixins/with-blocking-actions-test.js b/ui/packages/consul-ui/tests/unit/mixins/with-blocking-actions-test.js
diff --git a/website/package-lock.json b/website/package-lock.json
diff --git a/website/package.json b/website/package.json

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:security
	`2`	`+security: adding a maximum Content-Length on the event endpoint to fix denial-of-service (DoS) attacks. This resolves [CVE-2025-11375](https://nvd.nist.gov/vuln/detail/CVE-2025-11375).`
	`3`	+```
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:security
	`2`	`+security: Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacks[CVE-2025-11374]()`
	`3`	+```
Original file line number	Diff line number	Diff line change
`@@ -4,13 +4,16 @@`
`4`	`4`	`*/`
`5`	`5`
`6`	`6`	`import Route from './index';`
	`7`	`+import { inject as service } from '@ember/service';`
`7`	`8`
`8`	`9`	`export default class FolderRoute extends Route {`
	`10`	`+ @service router;`
	`11`	`+`
`9`	`12`	`beforeModel(transition) {`
`10`	`13`	`super.beforeModel(...arguments);`
`11`	`14`	`const params = this.paramsFor('dc.kv.folder');`
`12`	`15`	`if (params.key === '/' \|\| params.key == null) {`
`13`		`- return this.transitionTo('dc.kv.index');`
	`16`	`+ return this.router.transitionTo('dc.kv.index');`
`14`	`17`	`}`
`15`	`18`	`}`
`16`	`19`	`}`