This update contains the following security fixes:
- Security: prevent Sentry and Injector from applying the
daprsystem Configuration from a non control plane namespace.
Additionally, this patch release contains bug fixes:
- Fixed returning of HTTP status code in HTTP service invocation with resiliency enabled
- Fixed handling errors for Actors with special HTTP header
Security: Sentry and Injector only apply
daprsystem Configuration from the control plane namespace
Sentry and Injector will apply the
daprsystem configuration from a non-control plane namespace if the namespace name is alphabetically higher than the control plane namespace name.
Accidentally or maliciously, a Kubernetes user can write a Configuration in a non-control plane namespace that will be applied by Sentry and Injector.
This can re-write the Sentry CA, disable mTLS, or otherwise bring down the entire Dapr cluster.
Sentry and Injector currently list Configurations, before matching on the list for the
daprsystem Configuration, without filtering for namespaces.
Update Sentry and Injector to only get the
daprsystem Configuration from the namespace where the Dapr control plane is installed, instead of listing all Configurations.
Fixed returning of HTTP status code in HTTP service invocation with resiliency enabled
With Resiliency enabled, in case of HTTP service invocation, if one application sends error status codes (HTTP codes <200 or >=400), Dapr returns a response with a generic 500 error, instead of the actual response error code.
Applications will receive the wrong status code in case of HTTP service invocation returning a failure error code with Resiliency enabled.
A bug was discovered in how errors were handled when Resiliency was enabled, causing all errors from the application to be "swallowed" by Dapr.
Resiliency code now returns the correct status code to the application.
Fixed handling errors for Actors with special HTTP header
The Dapr's .Net SDK returns actor exceptions via a special response with the exception serialized in the response body and adding the
X-Daprerrorresponseheader HTTP header. This exception was not handled correctly starting at version 1.10, resulting in a generic error message at the calle's side.
Actor exception details are lost and a generic message is returned instead.
Retry logic in sidecar was dropping the error details returned by the actor method.
Fixed the retry logic to save the error's payload and return it in the end of the actor invocation logic.
Security wording was detected, but no CVEs were found.
- 🔍View and search all dapr releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!