Cherry pick fix for CVE-2026-33186 for 1.66.x (grpc-ui vuln.)

[olegbonar]

Summary

• Cherry-pick of 58bbf8a (grpc: enforce strict path checking for incoming requests on the server #8985) to the v1.66.x release branch to fix CVE-2026-33186
• The server now enforces strict path checking in Server.handleStream, rejecting gRPC requests with method names that do not start with / as required by the gRPC
  over HTTP/2 spec
• A temporary opt-out is available via GRPC_GO_EXPERIMENTAL_DISABLE_STRICT_PATH_CHECKING=true; this will be removed in a future release

Test plan

• New test TestMalformedMethodPath validates all combinations of malformed paths and env var settings
• Verify existing tests pass with no regressions

[codecov]

Codecov Report

❌ Patch coverage is 61.53846% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 81.81%. Comparing base (85ec11d) to head (03a3635).

Files with missing lines	Patch %	Lines
server.go	61.53%	7 Missing and 3 partials ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           v1.66.x    #9024      +/-   ##
===========================================
- Coverage    81.94%   81.81%   -0.13%     
===========================================
  Files          361      361              
  Lines        27862    27876      +14     
===========================================
- Hits         22831    22808      -23     
- Misses        3841     3865      +24     
- Partials      1190     1203      +13     

Files with missing lines	Coverage Δ
internal/envconfig/envconfig.go	100.00% <ø> (ø)
server.go	82.10% <61.53%> (-0.35%)	⬇️

... and 23 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[olegbonar]

The failures on the PR are branch-level CI issues, not caused by the cherry-pick, I think.

[easwars]

The 1.66 release went out in Aug-Sep of 2024. That's about a year and a half old. Why do you want to cherrypick this fix into a branch that old?

[olegbonar]

@easwars we were lucky enough to run into this CVE in the fullstorydev/grpcui package, which uses exactly 1.66.x still, sadly.

[easwars]

Have you had a chance to check with the fullstorydev/grpcui package to see if they can upgrade?

Otherwise, you should be able to change your go.mod to depend on the latest grpc release that contains the fix.

Unfortunately, 1.66 is too old according to our policy. See our FAQ: https://grpc.io/docs/what-is-grpc/faq/#how-long-are-grpc-releases-supported-for