run hack/update-netparse-cve.sh

Kubernetes-commit: 0cd75e8fec62a2531637e80bb950ac9983cac1b0
2021-08-20 01:16:14 +02:00 · 2021-08-20 01:16:14 +02:00 · 38c6ad936b
parent c1a0f339ee
commit 38c6ad936b
10 changed files with 34 additions and 28 deletions
--- a/pkg/endpoints/discovery/addresses_test.go
+++ b/pkg/endpoints/discovery/addresses_test.go
@ -17,13 +17,13 @@ limitations under the License.
 package discovery
 import (
 	"net"
 	"net/http"
 	"reflect"
 	"testing"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilnet "k8s.io/apimachinery/pkg/util/net"
 	netutils "k8s.io/utils/net"
 )
 func TestGetServerAddressByClientCIDRs(t *testing.T) {
@ -103,7 +103,7 @@ func TestGetServerAddressByClientCIDRs(t *testing.T) {
 		},
 	}
-	_, ipRange, _ := net.ParseCIDR("10.0.0.0/24")
+	_, ipRange, _ := netutils.ParseCIDRSloppy("10.0.0.0/24")
 	discoveryAddresses := DefaultAddresses{DefaultAddress: "ExternalAddress"}
 	discoveryAddresses.CIDRRules = append(discoveryAddresses.CIDRRules,
 		CIDRRule{IPRange: *ipRange, Address: "serviceIP"})
--- a/pkg/server/config_selfclient_test.go
+++ b/pkg/server/config_selfclient_test.go
@ -47,7 +47,7 @@ func TestLoopbackHostPortIPv4(t *testing.T) {
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
-	if ip := net.ParseIP(host); ip == nil || !ip.IsLoopback() {
+	if ip := netutils.ParseIPSloppy(host); ip == nil || !ip.IsLoopback() {
 		t.Fatalf("expected host to be loopback, got %q", host)
 	}
 	if port != "443" {
@ -78,7 +78,7 @@ func TestLoopbackHostPortIPv6(t *testing.T) {
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
-	if ip := net.ParseIP(host); ip == nil || !ip.IsLoopback() || ip.To4() != nil {
+	if ip := netutils.ParseIPSloppy(host); ip == nil || !ip.IsLoopback() || ip.To4() != nil {
 		t.Fatalf("expected IPv6 host to be loopback, got %q", host)
 	}
 	if port != "443" {
--- a/pkg/server/config_test.go
+++ b/pkg/server/config_test.go
@ -19,7 +19,6 @@ package server
 import (
 	"fmt"
 	"io/ioutil"
 	"net"
 	"net/http"
 	"net/http/httptest"
 	"net/http/httputil"
@ -43,6 +42,7 @@ import (
 	"k8s.io/client-go/informers"
 	"k8s.io/client-go/kubernetes/fake"
 	"k8s.io/client-go/rest"
 	netutils "k8s.io/utils/net"
 )
 func TestAuthorizeClientBearerTokenNoops(t *testing.T) {
@ -81,7 +81,7 @@ func TestAuthorizeClientBearerTokenNoops(t *testing.T) {
 func TestNewWithDelegate(t *testing.T) {
 	delegateConfig := NewConfig(codecs)
 	delegateConfig.ExternalAddress = "192.168.10.4:443"
-	delegateConfig.PublicAddress = net.ParseIP("192.168.10.4")
+	delegateConfig.PublicAddress = netutils.ParseIPSloppy("192.168.10.4")
 	delegateConfig.LegacyAPIGroupPrefixes = sets.NewString("/api")
 	delegateConfig.LoopbackClientConfig = &rest.Config{}
 	clientset := fake.NewSimpleClientset()
@ -113,7 +113,7 @@ func TestNewWithDelegate(t *testing.T) {
 	wrappingConfig := NewConfig(codecs)
 	wrappingConfig.ExternalAddress = "192.168.10.4:443"
-	wrappingConfig.PublicAddress = net.ParseIP("192.168.10.4")
+	wrappingConfig.PublicAddress = netutils.ParseIPSloppy("192.168.10.4")
 	wrappingConfig.LegacyAPIGroupPrefixes = sets.NewString("/api")
 	wrappingConfig.LoopbackClientConfig = &rest.Config{}
--- a/pkg/server/dynamiccertificates/named_certificates.go
+++ b/pkg/server/dynamiccertificates/named_certificates.go
@ -20,12 +20,12 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
 	"net"
 	"strings"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/klog/v2"
 	netutils "k8s.io/utils/net"
 )
 // BuildNamedCertificates returns a map of *tls.Certificate by name. It's
@ -77,7 +77,7 @@ func getCertificateNames(cert *x509.Certificate) []string {
 	var names []string
 	cn := cert.Subject.CommonName
-	cnIsIP := net.ParseIP(cn) != nil
+	cnIsIP := netutils.ParseIPSloppy(cn) != nil
 	cnIsValidDomain := cn == "*" || len(validation.IsDNS1123Subdomain(strings.TrimPrefix(cn, "*."))) == 0
 	// don't use the CN if it is a valid IP because our IP serving detection may unexpectedly use it to terminate the connection.
 	if !cnIsIP && cnIsValidDomain {
--- a/pkg/server/dynamiccertificates/named_certificates_test.go
+++ b/pkg/server/dynamiccertificates/named_certificates_test.go
@ -31,6 +31,8 @@ import (
 	"testing"
 	"time"
 	netutils "k8s.io/utils/net"
 	"github.com/stretchr/testify/assert"
 )
@ -246,7 +248,7 @@ NextTest:
 func parseIPList(ips []string) []net.IP {
 	var netIPs []net.IP
 	for _, ip := range ips {
-		netIPs = append(netIPs, net.ParseIP(ip))
+		netIPs = append(netIPs, netutils.ParseIPSloppy(ip))
 	}
 	return netIPs
 }
@ -302,7 +304,7 @@ func generateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS
 		IsCA:                  true,
 	}
-	if ip := net.ParseIP(host); ip != nil {
+	if ip := netutils.ParseIPSloppy(host); ip != nil {
 		template.IPAddresses = append(template.IPAddresses, ip)
 	} else {
 		template.DNSNames = append(template.DNSNames, host)
--- a/pkg/server/genericapiserver_test.go
+++ b/pkg/server/genericapiserver_test.go
@ -54,6 +54,7 @@ import (
 	restclient "k8s.io/client-go/rest"
 	kubeopenapi "k8s.io/kube-openapi/pkg/common"
 	"k8s.io/kube-openapi/pkg/validation/spec"
 	netutils "k8s.io/utils/net"
 )
 const (
@ -127,7 +128,7 @@ func testGetOpenAPIDefinitions(_ kubeopenapi.ReferenceCallback) map[string]kubeo
 func setUp(t *testing.T) (Config, *assert.Assertions) {
 	config := NewConfig(codecs)
 	config.ExternalAddress = "192.168.10.4:443"
-	config.PublicAddress = net.ParseIP("192.168.10.4")
+	config.PublicAddress = netutils.ParseIPSloppy("192.168.10.4")
 	config.LegacyAPIGroupPrefixes = sets.NewString("/api")
 	config.LoopbackClientConfig = &restclient.Config{}
--- a/pkg/server/options/server_run_options_test.go
+++ b/pkg/server/options/server_run_options_test.go
@ -17,12 +17,12 @@ limitations under the License.
 package options
 import (
 	"net"
 	"strings"
 	"testing"
 	"time"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	netutils "k8s.io/utils/net"
 )
 func TestServerRunOptionsValidate(t *testing.T) {
@ -34,7 +34,7 @@ func TestServerRunOptionsValidate(t *testing.T) {
 		{
 			name: "Test when MaxRequestsInFlight is negative value",
 			testOptions: &ServerRunOptions{
-				AdvertiseAddress:            net.ParseIP("192.168.10.10"),
+				AdvertiseAddress:            netutils.ParseIPSloppy("192.168.10.10"),
 				CorsAllowedOriginList:       []string{"10.10.10.100", "10.10.10.200"},
 				MaxRequestsInFlight:         -400,
 				MaxMutatingRequestsInFlight: 200,
@ -48,7 +48,7 @@ func TestServerRunOptionsValidate(t *testing.T) {
 		{
 			name: "Test when MaxMutatingRequestsInFlight is negative value",
 			testOptions: &ServerRunOptions{
-				AdvertiseAddress:            net.ParseIP("192.168.10.10"),
+				AdvertiseAddress:            netutils.ParseIPSloppy("192.168.10.10"),
 				CorsAllowedOriginList:       []string{"10.10.10.100", "10.10.10.200"},
 				MaxRequestsInFlight:         400,
 				MaxMutatingRequestsInFlight: -200,
@ -62,7 +62,7 @@ func TestServerRunOptionsValidate(t *testing.T) {
 		{
 			name: "Test when RequestTimeout is negative value",
 			testOptions: &ServerRunOptions{
-				AdvertiseAddress:            net.ParseIP("192.168.10.10"),
+				AdvertiseAddress:            netutils.ParseIPSloppy("192.168.10.10"),
 				CorsAllowedOriginList:       []string{"10.10.10.100", "10.10.10.200"},
 				MaxRequestsInFlight:         400,
 				MaxMutatingRequestsInFlight: 200,
@ -76,7 +76,7 @@ func TestServerRunOptionsValidate(t *testing.T) {
 		{
 			name: "Test when MinRequestTimeout is negative value",
 			testOptions: &ServerRunOptions{
-				AdvertiseAddress:            net.ParseIP("192.168.10.10"),
+				AdvertiseAddress:            netutils.ParseIPSloppy("192.168.10.10"),
 				CorsAllowedOriginList:       []string{"10.10.10.100", "10.10.10.200"},
 				MaxRequestsInFlight:         400,
 				MaxMutatingRequestsInFlight: 200,
@ -90,7 +90,7 @@ func TestServerRunOptionsValidate(t *testing.T) {
 		{
 			name: "Test when JSONPatchMaxCopyBytes is negative value",
 			testOptions: &ServerRunOptions{
-				AdvertiseAddress:            net.ParseIP("192.168.10.10"),
+				AdvertiseAddress:            netutils.ParseIPSloppy("192.168.10.10"),
 				CorsAllowedOriginList:       []string{"10.10.10.100", "10.10.10.200"},
 				MaxRequestsInFlight:         400,
 				MaxMutatingRequestsInFlight: 200,
@ -104,7 +104,7 @@ func TestServerRunOptionsValidate(t *testing.T) {
 		{
 			name: "Test when MaxRequestBodyBytes is negative value",
 			testOptions: &ServerRunOptions{
-				AdvertiseAddress:            net.ParseIP("192.168.10.10"),
+				AdvertiseAddress:            netutils.ParseIPSloppy("192.168.10.10"),
 				CorsAllowedOriginList:       []string{"10.10.10.100", "10.10.10.200"},
 				MaxRequestsInFlight:         400,
 				MaxMutatingRequestsInFlight: 200,
@ -118,7 +118,7 @@ func TestServerRunOptionsValidate(t *testing.T) {
 		{
 			name: "Test when LivezGracePeriod is negative value",
 			testOptions: &ServerRunOptions{
-				AdvertiseAddress:            net.ParseIP("192.168.10.10"),
+				AdvertiseAddress:            netutils.ParseIPSloppy("192.168.10.10"),
 				CorsAllowedOriginList:       []string{"10.10.10.100", "10.10.10.200"},
 				MaxRequestsInFlight:         400,
 				MaxMutatingRequestsInFlight: 200,
@ -133,7 +133,7 @@ func TestServerRunOptionsValidate(t *testing.T) {
 		{
 			name: "Test when MinimalShutdownDuration is negative value",
 			testOptions: &ServerRunOptions{
-				AdvertiseAddress:            net.ParseIP("192.168.10.10"),
+				AdvertiseAddress:            netutils.ParseIPSloppy("192.168.10.10"),
 				CorsAllowedOriginList:       []string{"10.10.10.100", "10.10.10.200"},
 				MaxRequestsInFlight:         400,
 				MaxMutatingRequestsInFlight: 200,
@ -148,7 +148,7 @@ func TestServerRunOptionsValidate(t *testing.T) {
 		{
 			name: "Test when HSTSHeaders is valid",
 			testOptions: &ServerRunOptions{
-				AdvertiseAddress:            net.ParseIP("192.168.10.10"),
+				AdvertiseAddress:            netutils.ParseIPSloppy("192.168.10.10"),
 				CorsAllowedOriginList:       []string{"10.10.10.100", "10.10.10.200"},
 				HSTSDirectives:              []string{"fakevalue", "includeSubDomains", "preload"},
 				MaxRequestsInFlight:         400,
@ -163,7 +163,7 @@ func TestServerRunOptionsValidate(t *testing.T) {
 		{
 			name: "Test when ServerRunOptions is valid",
 			testOptions: &ServerRunOptions{
-				AdvertiseAddress:            net.ParseIP("192.168.10.10"),
+				AdvertiseAddress:            netutils.ParseIPSloppy("192.168.10.10"),
 				CorsAllowedOriginList:       []string{"10.10.10.100", "10.10.10.200"},
 				HSTSDirectives:              []string{"max-age=31536000", "includeSubDomains", "preload"},
 				MaxRequestsInFlight:         400,
--- a/pkg/server/options/serving.go
+++ b/pkg/server/options/serving.go
@ -27,6 +27,7 @@ import (
 	"github.com/spf13/pflag"
 	"k8s.io/klog/v2"
 	netutils "k8s.io/utils/net"
 	utilnet "k8s.io/apimachinery/pkg/util/net"
 	"k8s.io/apiserver/pkg/server"
@ -108,7 +109,7 @@ type GeneratableKeyCert struct {
 func NewSecureServingOptions() *SecureServingOptions {
 	return &SecureServingOptions{
-		BindAddress: net.ParseIP("0.0.0.0"),
+		BindAddress: netutils.ParseIPSloppy("0.0.0.0"),
 		BindPort:    443,
 		ServerCert: GeneratableKeyCert{
 			PairName:      "apiserver",
--- a/pkg/server/options/serving_test.go
+++ b/pkg/server/options/serving_test.go
@ -44,6 +44,7 @@ import (
 	"k8s.io/client-go/discovery"
 	restclient "k8s.io/client-go/rest"
 	cliflag "k8s.io/component-base/cli/flag"
 	netutils "k8s.io/utils/net"
 )
 func setUp(t *testing.T) server.Config {
@ -277,7 +278,7 @@ func TestServerRunWithSNI(t *testing.T) {
 			config.EnableIndex = true
 			secureOptions := (&SecureServingOptions{
-				BindAddress: net.ParseIP("127.0.0.1"),
+				BindAddress: netutils.ParseIPSloppy("127.0.0.1"),
 				BindPort:    6443,
 				ServerCert: GeneratableKeyCert{
 					CertKey: CertKey{
@ -381,7 +382,7 @@ func TestServerRunWithSNI(t *testing.T) {
 func parseIPList(ips []string) []net.IP {
 	var netIPs []net.IP
 	for _, ip := range ips {
-		netIPs = append(netIPs, net.ParseIP(ip))
+		netIPs = append(netIPs, netutils.ParseIPSloppy(ip))
 	}
 	return netIPs
 }
@ -488,7 +489,7 @@ func generateSelfSignedCertKey(host string, alternateIPs []net.IP, alternateDNS
 		IsCA:                  true,
 	}
-	if ip := net.ParseIP(host); ip != nil {
+	if ip := netutils.ParseIPSloppy(host); ip != nil {
 		template.IPAddresses = append(template.IPAddresses, ip)
 	} else {
 		template.DNSNames = append(template.DNSNames, host)
--- a/pkg/server/options/serving_with_loopback_test.go
+++ b/pkg/server/options/serving_with_loopback_test.go
@ -22,6 +22,7 @@ import (
 	"k8s.io/apiserver/pkg/server"
 	"k8s.io/client-go/rest"
 	netutils "k8s.io/utils/net"
 )
 func TestEmptyMainCert(t *testing.T) {
@ -29,7 +30,7 @@ func TestEmptyMainCert(t *testing.T) {
 	var loopbackClientConfig *rest.Config
 	s := (&SecureServingOptions{
-		BindAddress: net.ParseIP("127.0.0.1"),
+		BindAddress: netutils.ParseIPSloppy("127.0.0.1"),
 	}).WithLoopback()
 	ln, err := net.Listen("tcp", "127.0.0.1:0")
 	if err != nil {