Skip to content

grpc: enforce strict path checking for incoming requests on the server#8981

Merged
easwars merged 3 commits intogrpc:v1.79.xfrom
easwars:v1.79.x
Mar 17, 2026
Merged

grpc: enforce strict path checking for incoming requests on the server#8981
easwars merged 3 commits intogrpc:v1.79.xfrom
easwars:v1.79.x

Conversation

@easwars
Copy link
Copy Markdown
Contributor

@easwars easwars commented Mar 17, 2026
edited
Loading

RELEASE NOTES:

  • server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like grpc/authz. Any request with a non-canonical path is now immediately rejected with an Unimplemented error.

@eshitachandwani @easwars
xds: regenrate expired SPIFFE certs (grpc#8963)
aac8286 
This PR regenerates the expired SPIFFE certs and changes the expiry time
to 10 years.
This PR also corrects the `README.md` which had 1 type and one wrong
script name.

RELEASE NOTES: None
@codecov
Copy link
Copy Markdown

codecov Bot commented Mar 17, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 61.53846% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 83.20%. Comparing base (97ca352) to head (764a562).
⚠️ Report is 1 commits behind head on v1.79.x.

Files with missing lines Patch % Lines
server.go 61.53% 7 Missing and 3 partials ⚠️
Additional details and impacted files 
@@             Coverage Diff             @@
##           v1.79.x    #8981      +/-   ##
===========================================
- Coverage    83.28%   83.20%   -0.09%     
===========================================
  Files          414      414              
  Lines        32744    32758      +14     
===========================================
- Hits         27272    27257      -15     
- Misses        4067     4086      +19     
- Partials      1405     1415      +10
Files with missing lines Coverage Δ
internal/envconfig/envconfig.go 100.00% <ø> (ø)
server.go 82.48% <61.53%> (-0.16%) ⬇️

... and 22 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@easwars easwars merged commit 72186f1 into grpc:v1.79.x Mar 17, 2026
12 of 14 checks passed
easwars added a commit to easwars/grpc-go that referenced this pull request Mar 17, 2026
@easwars
grpc: enforce strict path checking for incoming requests on the server (
edbf788 
grpc#8981)

RELEASE NOTES:
* server: fix an authorization bypass where malformed :path headers
(missing the leading slash) could bypass path-based restricted "deny"
rules in interceptors like `grpc/authz`. Any request with a
non-canonical path is now immediately rejected with an `Unimplemented`
error.
denwi pushed a commit to denwi/jfrog-cli-grpcgo-1.79.3 that referenced this pull request Mar 19, 2026
bump version to google.golang.org/grpc 1.79.3
3bf6d15 
grpc/grpc-go#8981
@raelga raelga mentioned this pull request Mar 19, 2026
Merged
2 tasks
@liggitt liggitt mentioned this pull request Mar 19, 2026
Merged
@coderabbitai coderabbitai Bot mentioned this pull request Mar 19, 2026
Merged
@claude claude Bot mentioned this pull request Mar 20, 2026
Merged
@coderabbitai coderabbitai Bot mentioned this pull request Mar 23, 2026
Merged
@mnhauke mnhauke mentioned this pull request Mar 23, 2026
Closed
@mitchnielsen mitchnielsen mentioned this pull request Mar 24, 2026
Merged
@amogh09 amogh09 mentioned this pull request Mar 24, 2026
Merged
@claude claude Bot mentioned this pull request Mar 25, 2026
Merged
danielmellado pushed a commit to danielmellado/grpc-go that referenced this pull request Mar 30, 2026
@easwars @danielmellado
grpc: enforce strict path checking for incoming requests on the server (
d0dec47 
grpc#8981)

RELEASE NOTES:
* server: fix an authorization bypass where malformed :path headers
(missing the leading slash) could bypass path-based restricted "deny"
rules in interceptors like `grpc/authz`. Any request with a
non-canonical path is now immediately rejected with an `Unimplemented`
error.
@claude claude Bot mentioned this pull request Mar 31, 2026
Merged
saswatamcode pushed a commit to thanos-community/grpc-go that referenced this pull request Mar 31, 2026
@danielmellado @easwars
grpc: enforce strict path checking for incoming requests on the server (
a7315f1 
grpc#8981) (#1)

RELEASE NOTES:
* server: fix an authorization bypass where malformed :path headers
(missing the leading slash) could bypass path-based restricted "deny"
rules in interceptors like `grpc/authz`. Any request with a
non-canonical path is now immediately rejected with an `Unimplemented`
error.

Co-authored-by: Easwar Swaminathan <easwars@google.com>
bschimke95 added a commit to canonical/k8sd that referenced this pull request Apr 2, 2026
@bschimke95
fix(deps): bump google.golang.org/grpc to v1.79.3 (CVE-2026-33186)
856e339 
gRPC-Go v1.79.1 and earlier have an authorization bypass where malformed
:path headers (missing the leading slash) could bypass path-based
restricted "deny" rules in interceptors like grpc/authz. v1.79.3
rejects any request with a non-canonical path with an Unimplemented
error.

Severity: Critical
Ref: grpc/grpc-go#8981
@bschimke95 bschimke95 mentioned this pull request Apr 2, 2026
Merged
bschimke95 added a commit to canonical/k8sd that referenced this pull request Apr 2, 2026
@bschimke95
fix(deps): bump google.golang.org/grpc to v1.79.3 (CVE-2026-33186) (#20)
079caf4 
gRPC-Go v1.79.1 and earlier have an authorization bypass where malformed
:path headers (missing the leading slash) could bypass path-based
restricted "deny" rules in interceptors like grpc/authz. v1.79.3
rejects any request with a non-canonical path with an Unimplemented
error.

Severity: Critical
Ref: grpc/grpc-go#8981
@tnando tnando mentioned this pull request Apr 5, 2026
Merged
@claude claude Bot mentioned this pull request Apr 7, 2026
Merged
@gandalf-at-lerian gandalf-at-lerian mentioned this pull request Apr 7, 2026
Closed
Atharva-Shinde pushed a commit to Atharva-Shinde/grpc-go that referenced this pull request Apr 9, 2026
@easwars @Atharva-Shinde
grpc: enforce strict path checking for incoming requests on the server (
af74074 
grpc#8981)

RELEASE NOTES:
* server: fix an authorization bypass where malformed :path headers
(missing the leading slash) could bypass path-based restricted "deny"
rules in interceptors like `grpc/authz`. Any request with a
non-canonical path is now immediately rejected with an `Unimplemented`
error.
Atharva-Shinde pushed a commit to Atharva-Shinde/grpc-go that referenced this pull request Apr 9, 2026
@easwars @Atharva-Shinde
grpc: enforce strict path checking for incoming requests on the server (
a0ecda2 
grpc#8981)

RELEASE NOTES:
* server: fix an authorization bypass where malformed :path headers
(missing the leading slash) could bypass path-based restricted "deny"
rules in interceptors like `grpc/authz`. Any request with a
non-canonical path is now immediately rejected with an `Unimplemented`
error.
Atharva-Shinde pushed a commit to Atharva-Shinde/grpc-go that referenced this pull request Apr 9, 2026
@easwars @Atharva-Shinde
grpc: enforce strict path checking for incoming requests on the server (
6bba042 
grpc#8981)

RELEASE NOTES:
* server: fix an authorization bypass where malformed :path headers
(missing the leading slash) could bypass path-based restricted "deny"
rules in interceptors like `grpc/authz`. Any request with a
non-canonical path is now immediately rejected with an `Unimplemented`
error.
Atharva-Shinde pushed a commit to Atharva-Shinde/grpc-go that referenced this pull request Apr 9, 2026
@easwars @Atharva-Shinde
grpc: enforce strict path checking for incoming requests on the server (
8c6ba89 
grpc#8981)

RELEASE NOTES:
* server: fix an authorization bypass where malformed :path headers
(missing the leading slash) could bypass path-based restricted "deny"
rules in interceptors like `grpc/authz`. Any request with a
non-canonical path is now immediately rejected with an `Unimplemented`
error.
This was referenced Apr 23, 2026
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dfawley dfawley dfawley approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@easwars @dfawley @eshitachandwani