grpc: enforce strict path checking for incoming requests on the server

[easwars]

RELEASE NOTES:

• server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like grpc/authz. Any request with a non-canonical path is now immediately rejected with an Unimplemented error.

[codecov]

Codecov Report

❌ Patch coverage is 61.53846% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.94%. Comparing base (d0d7cab) to head (edbf788).
⚠️ Report is 1 commits behind head on master.

Files with missing lines	Patch %	Lines
server.go	61.53%	7 Missing and 3 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #8985      +/-   ##
==========================================
- Coverage   83.02%   82.94%   -0.08%     
==========================================
  Files         411      411              
  Lines       32719    32733      +14     
==========================================
- Hits        27164    27151      -13     
- Misses       4165     4183      +18     
- Partials     1390     1399       +9     

Files with missing lines	Coverage Δ
internal/envconfig/envconfig.go	100.00% <ø> (ø)
server.go	82.48% <61.53%> (-0.16%)	⬇️

... and 22 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[arjan-bal]

@easwars we would also need to cherry-pick this change to the v1.80.x branch.

[easwars]

@easwars we would also need to cherry-pick this change to the v1.80.x branch.

Yes. I'm working on it as I'm typing this.

[millonbigs-cpu]

---

[millonbigs-cpu]

No sé qué hacer

[glaubitz]

Is this the complete fix for CVE-2026-33186?

[easwars]

Is this the complete fix for CVE-2026-33186?

Yes