dapr - v1.10.10
Dapr 1.10.10
This update contains the following security fixes:
- Security: prevent Sentry and Injector from applying the daprsystem
Configuration from a non control plane namespace.
Additionally, this patch release contains bug fixes:
- Fixed returning of HTTP status code in HTTP service invocation with resiliency enabled
- Fixed handling errors for Actors with special HTTP header
Security: Sentry and Injector only apply daprsystem
Configuration from the control plane namespace
Problem
Sentry and Injector will apply the daprsystem
configuration from a non-control plane namespace if the namespace name is alphabetically higher than the control plane namespace name.
Impact
Accidentally or maliciously, a Kubernetes user can write a Configuration in a non-control plane namespace that will be applied by Sentry and Injector.
This can re-write the Sentry CA, disable mTLS, or otherwise bring down the entire Dapr cluster.
Root cause
Sentry and Injector currently list Configurations, before matching on the list for the daprsystem
Configuration, without filtering for namespaces.
Solution
Update Sentry and Injector to only get the daprsystem
Configuration from the namespace where the Dapr control plane is installed, instead of listing all Configurations.
Fixed returning of HTTP status code in HTTP service invocation with resiliency enabled
Problem
With Resiliency enabled, in case of HTTP service invocation, if one application sends error status codes (HTTP codes <200 or >=400), Dapr returns a response with a generic 500 error, instead of the actual response error code.
Impact
Applications will receive the wrong status code in case of HTTP service invocation returning a failure error code with Resiliency enabled.
Root cause
A bug was discovered in how errors were handled when Resiliency was enabled, causing all errors from the application to be "swallowed" by Dapr.
Solution
Resiliency code now returns the correct status code to the application.
Fixed handling errors for Actors with special HTTP header
Problem
The Dapr's .Net SDK returns actor exceptions via a special response with the exception serialized in the response body and adding the X-Daprerrorresponseheader
HTTP header. This exception was not handled correctly starting at version 1.10, resulting in a generic error message at the calle's side.
See https://github.com/dapr/dapr/issues/6339
Impact
Actor exception details are lost and a generic message is returned instead.
Root cause
Retry logic in sidecar was dropping the error details returned by the actor method.
Solution
Fixed the retry logic to save the error's payload and return it in the end of the actor invocation logic.
Security
Security wording was detected, but no CVEs were found.
Details
- 🔍View and search all dapr releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!