Skip to content

Commit dc96507

Browse files
authored
Merge pull request #984 from Wikid82/nightly
Weekly: Promote nightly to main (2026-04-27)
2 parents 48df8c8 + 727a865 commit dc96507

31 files changed

Lines changed: 199 additions & 73 deletions

.docker/docker-entrypoint.sh

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -72,8 +72,12 @@ mkdir -p /app/data/caddy 2>/dev/null || true
7272
mkdir -p /app/data/crowdsec 2>/dev/null || true
7373
mkdir -p /app/data/geoip 2>/dev/null || true
7474

75-
# Fix ownership for directories created as root
75+
# Fix ownership for the data volume and required subdirectories when running as root.
76+
# This handles rootless Docker environments where the host volume may be owned by the
77+
# host user (mapped to container UID 0), making it inaccessible to the charon user.
7678
if is_root; then
79+
chown charon:charon /app/data 2>/dev/null || true
80+
chown charon:charon /config 2>/dev/null || true
7781
chown -R charon:charon /app/data/caddy 2>/dev/null || true
7882
chown -R charon:charon /app/data/crowdsec 2>/dev/null || true
7983
chown -R charon:charon /app/data/geoip 2>/dev/null || true

.github/workflows/release-goreleaser.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -75,7 +75,7 @@ jobs:
7575

7676

7777
- name: Run GoReleaser
78-
uses: goreleaser/goreleaser-action@e24998b8b67b290c2fa8b7c14fcfa7de2c5c9b8c # v7
78+
uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7
7979
with:
8080
distribution: goreleaser
8181
version: '~> v2.5'

.vscode/settings.json

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
11
{
2+
"docker.host": "unix:///run/user/1001/docker.sock",
23
"gopls": {
34
"buildFlags": ["-tags=integration"]
45
},

.vscode/tasks.json

Lines changed: 18 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,21 +4,36 @@
44
{
55
"label": "Docker Compose Up",
66
"type": "shell",
7-
"command": "docker compose -f /root/docker/containers/charon/docker-compose.yml up -d && echo 'Charon running at http://localhost:8787'",
7+
"command": "docker compose -f /home/jeremy/docker/containers/charon/docker-compose.yml up -d && echo 'Charon running at http://localhost:8787'",
8+
"options": {
9+
"env": {
10+
"DOCKER_HOST": "unix:///run/user/1001/docker.sock"
11+
}
12+
},
813
"group": "build",
914
"problemMatcher": []
1015
},
1116
{
1217
"label": "Build & Run: Local Docker Image",
1318
"type": "shell",
14-
"command": "docker build -t charon:local . && docker compose -f /root/docker/containers/charon/docker-compose.yml up -d && echo 'Charon running at http://localhost:8787'",
19+
"command": "docker build -t charon:local . && docker compose -f /home/jeremy/docker/containers/charon/docker-compose.yml up -d && echo 'Charon running at http://localhost:8787'",
20+
"options": {
21+
"env": {
22+
"DOCKER_HOST": "unix:///run/user/1001/docker.sock"
23+
}
24+
},
1525
"group": "build",
1626
"problemMatcher": []
1727
},
1828
{
1929
"label": "Build & Run: Local Docker Image No-Cache",
2030
"type": "shell",
21-
"command": "docker build --no-cache -t charon:local . && docker compose -f /root/docker/containers/charon/docker-compose.yml up -d && echo 'Charon running at http://localhost:8787'",
31+
"command": "docker build --no-cache -t charon:local . && docker compose -f /home/jeremy/docker/containers/charon/docker-compose.yml up -d && echo 'Charon running at http://localhost:8787'",
32+
"options": {
33+
"env": {
34+
"DOCKER_HOST": "unix:///run/user/1001/docker.sock"
35+
}
36+
},
2237
"group": "build",
2338
"problemMatcher": []
2439
},

Dockerfile

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -384,6 +384,12 @@ RUN go get github.com/expr-lang/expr@v${EXPR_LANG_VERSION} && \
384384
# CVE-2026-32286: pgproto3/v2 buffer overflow (no v2 fix exists; bump pgx/v4 to latest patch)
385385
# renovate: datasource=go depName=github.com/jackc/pgx/v4
386386
go get github.com/jackc/pgx/v4@v4.18.3 && \
387+
# CVE-2026-29181 (GHSA-mh2q-q3fh-2475): OpenTelemetry-Go baggage header multi-value DoS
388+
# go.opentelemetry.io/otel >= 1.36.0 and <= 1.40.0 is vulnerable; fix available at v1.41.0.
389+
# Pin here so the CrowdSec binary is patched immediately;
390+
# remove once CrowdSec ships a release built with go.opentelemetry.io/otel >= v1.41.0.
391+
# renovate: datasource=go depName=go.opentelemetry.io/otel
392+
go get go.opentelemetry.io/otel@v1.43.0 && \
387393
# GHSA-xmrv-pmrh-hhx2: AWS SDK v2 event stream injection
388394
# renovate: datasource=go depName=github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream
389395
go get github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream@v1.7.9 && \
@@ -486,7 +492,7 @@ SHELL ["/bin/ash", "-o", "pipefail", "-c"]
486492
# Note: In production, users should provide their own MaxMind license key
487493
# This uses the publicly available GeoLite2 database
488494
# In CI, timeout quickly rather than retrying to save build time
489-
ARG GEOLITE2_COUNTRY_SHA256=62049119bd084e19fff4689bebe258f18a5f27a386e6d26ba5180941b613fc2b
495+
ARG GEOLITE2_COUNTRY_SHA256=c880cbc7e6b1a9b1a96d530c34996480d6d809d2c89a6bd73a5072e4fffbc01c
490496
RUN mkdir -p /app/data/geoip && \
491497
if [ "$CI" = "true" ] || [ "$CI" = "1" ]; then \
492498
echo "⏱️ CI detected - quick download (10s timeout, no retries)"; \

backend/.golangci-fast.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,3 +31,8 @@ linters:
3131
- G501 # Blacklisted import crypto/md5
3232
- G502 # Blacklisted import crypto/des
3333
- G503 # Blacklisted import crypto/rc4
34+
exclusions:
35+
rules:
36+
- path: "_test\\.go"
37+
linters:
38+
- gosec

backend/cmd/localpatchreport/main.go

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -230,20 +230,20 @@ func writeMarkdown(path string, report reportJSON, backendCoveragePath, frontend
230230
var builder strings.Builder
231231
builder.WriteString("# Local Patch Coverage Report\n\n")
232232
builder.WriteString("## Metadata\n\n")
233-
builder.WriteString(fmt.Sprintf("- Generated: %s\n", report.GeneratedAt))
234-
builder.WriteString(fmt.Sprintf("- Baseline: `%s`\n", report.Baseline))
235-
builder.WriteString(fmt.Sprintf("- Mode: `%s`\n\n", report.Mode))
233+
fmt.Fprintf(&builder, "- Generated: %s\n", report.GeneratedAt)
234+
fmt.Fprintf(&builder, "- Baseline: `%s`\n", report.Baseline)
235+
fmt.Fprintf(&builder, "- Mode: `%s`\n\n", report.Mode)
236236

237237
builder.WriteString("## Inputs\n\n")
238-
builder.WriteString(fmt.Sprintf("- Backend coverage: `%s`\n", backendCoveragePath))
239-
builder.WriteString(fmt.Sprintf("- Frontend coverage: `%s`\n\n", frontendCoveragePath))
238+
fmt.Fprintf(&builder, "- Backend coverage: `%s`\n", backendCoveragePath)
239+
fmt.Fprintf(&builder, "- Frontend coverage: `%s`\n\n", frontendCoveragePath)
240240

241241
builder.WriteString("## Resolved Thresholds\n\n")
242242
builder.WriteString("| Scope | Minimum (%) | Source |\n")
243243
builder.WriteString("|---|---:|---|\n")
244-
builder.WriteString(fmt.Sprintf("| Overall | %.1f | %s |\n", report.Thresholds.Overall, report.ThresholdSources.Overall))
245-
builder.WriteString(fmt.Sprintf("| Backend | %.1f | %s |\n", report.Thresholds.Backend, report.ThresholdSources.Backend))
246-
builder.WriteString(fmt.Sprintf("| Frontend | %.1f | %s |\n\n", report.Thresholds.Frontend, report.ThresholdSources.Frontend))
244+
fmt.Fprintf(&builder, "| Overall | %.1f | %s |\n", report.Thresholds.Overall, report.ThresholdSources.Overall)
245+
fmt.Fprintf(&builder, "| Backend | %.1f | %s |\n", report.Thresholds.Backend, report.ThresholdSources.Backend)
246+
fmt.Fprintf(&builder, "| Frontend | %.1f | %s |\n\n", report.Thresholds.Frontend, report.ThresholdSources.Frontend)
247247

248248
builder.WriteString("## Coverage Summary\n\n")
249249
builder.WriteString("| Scope | Changed Lines | Covered Lines | Patch Coverage (%) | Status |\n")
@@ -262,22 +262,22 @@ func writeMarkdown(path string, report reportJSON, backendCoveragePath, frontend
262262
if len(fileCoverage.UncoveredChangedLineRange) > 0 {
263263
ranges = strings.Join(fileCoverage.UncoveredChangedLineRange, ", ")
264264
}
265-
builder.WriteString(fmt.Sprintf("| `%s` | %.1f | %d | %s |\n", fileCoverage.Path, fileCoverage.PatchCoveragePct, fileCoverage.UncoveredChangedLines, ranges))
265+
fmt.Fprintf(&builder, "| `%s` | %.1f | %d | %s |\n", fileCoverage.Path, fileCoverage.PatchCoveragePct, fileCoverage.UncoveredChangedLines, ranges)
266266
}
267267
builder.WriteString("\n")
268268
}
269269

270270
if len(report.Warnings) > 0 {
271271
builder.WriteString("## Warnings\n\n")
272272
for _, warning := range report.Warnings {
273-
builder.WriteString(fmt.Sprintf("- %s\n", warning))
273+
fmt.Fprintf(&builder, "- %s\n", warning)
274274
}
275275
builder.WriteString("\n")
276276
}
277277

278278
builder.WriteString("## Artifacts\n\n")
279-
builder.WriteString(fmt.Sprintf("- Markdown: `%s`\n", report.Artifacts.Markdown))
280-
builder.WriteString(fmt.Sprintf("- JSON: `%s`\n", report.Artifacts.JSON))
279+
fmt.Fprintf(&builder, "- Markdown: `%s`\n", report.Artifacts.Markdown)
280+
fmt.Fprintf(&builder, "- JSON: `%s`\n", report.Artifacts.JSON)
281281

282282
if err := os.WriteFile(path, []byte(builder.String()), 0o600); err != nil {
283283
return fmt.Errorf("write markdown file: %w", err)

backend/go.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -90,7 +90,7 @@ require (
9090
golang.org/x/sys v0.43.0 // indirect
9191
google.golang.org/protobuf v1.36.11 // indirect
9292
gopkg.in/yaml.v3 v3.0.1 // indirect
93-
modernc.org/libc v1.72.0 // indirect
93+
modernc.org/libc v1.72.1 // indirect
9494
modernc.org/mathutil v1.7.1 // indirect
9595
modernc.org/memory v1.11.0 // indirect
9696
modernc.org/sqlite v1.49.1 // indirect

backend/go.sum

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -213,10 +213,10 @@ gorm.io/gorm v1.31.1 h1:7CA8FTFz/gRfgqgpeKIBcervUn3xSyPUmr6B2WXJ7kg=
213213
gorm.io/gorm v1.31.1/go.mod h1:XyQVbO2k6YkOis7C2437jSit3SsDK72s7n7rsSHd+Gs=
214214
gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
215215
gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
216-
modernc.org/cc/v4 v4.27.3 h1:uNCgn37E5U09mTv1XgskEVUJ8ADKpmFMPxzGJ0TSo+U=
217-
modernc.org/cc/v4 v4.27.3/go.mod h1:3YjcbCqhoTTHPycJDRl2WZKKFj0nwcOIPBfEZK0Hdk8=
218-
modernc.org/ccgo/v4 v4.32.4 h1:L5OB8rpEX4ZsXEQwGozRfJyJSFHbbNVOoQ59DU9/KuU=
219-
modernc.org/ccgo/v4 v4.32.4/go.mod h1:lY7f+fiTDHfcv6YlRgSkxYfhs+UvOEEzj49jAn2TOx0=
216+
modernc.org/cc/v4 v4.28.1 h1:XpLbkYVQ24E8tX5u8+yWGvaxerxkR/S4zqxI8ZoSBuc=
217+
modernc.org/cc/v4 v4.28.1/go.mod h1:OnovgIhbbMXMu1aISnJ0wvVD1KnW+cAUJkIrAWh+kVI=
218+
modernc.org/ccgo/v4 v4.33.0 h1:dspBCm75jsj8Y/ufwAMVfe375L2iYdMyQ2QG/v3hL54=
219+
modernc.org/ccgo/v4 v4.33.0/go.mod h1:+RhXBoRYzRwaH21mV/aj6XvQRDtfjcZfAlPMsQo8CR0=
220220
modernc.org/fileutil v1.4.0 h1:j6ZzNTftVS054gi281TyLjHPp6CPHr2KCxEXjEbD6SM=
221221
modernc.org/fileutil v1.4.0/go.mod h1:EqdKFDxiByqxLk8ozOxObDSfcVOv/54xDs/DUHdvCUU=
222222
modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
@@ -225,14 +225,14 @@ modernc.org/gc/v3 v3.1.2 h1:ZtDCnhonXSZexk/AYsegNRV1lJGgaNZJuKjJSWKyEqo=
225225
modernc.org/gc/v3 v3.1.2/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
226226
modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
227227
modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
228-
modernc.org/libc v1.72.0 h1:IEu559v9a0XWjw0DPoVKtXpO2qt5NVLAnFaBbjq+n8c=
229-
modernc.org/libc v1.72.0/go.mod h1:tTU8DL8A+XLVkEY3x5E/tO7s2Q/q42EtnNWda/L5QhQ=
228+
modernc.org/libc v1.72.1 h1:db1xwJ6u1kE3KHTFTTbe2GCrczHPKzlURP0aDC4NGD0=
229+
modernc.org/libc v1.72.1/go.mod h1:HRMiC/PhPGLIPM7GzAFCbI+oSgE3dhZ8FWftmRrHVlY=
230230
modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
231231
modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
232232
modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
233233
modernc.org/memory v1.11.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw=
234-
modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
235-
modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
234+
modernc.org/opt v0.2.0 h1:tGyef5ApycA7FSEOMraay9SaTk5zmbx7Tu+cJs4QKZg=
235+
modernc.org/opt v0.2.0/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
236236
modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
237237
modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
238238
modernc.org/sqlite v1.49.1 h1:dYGHTKcX1sJ+EQDnUzvz4TJ5GbuvhNJa8Fg6ElGx73U=

backend/internal/api/handlers/logs_handler.go

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -93,8 +93,9 @@ func (h *LogsHandler) Download(c *gin.Context) {
9393
}
9494
}()
9595

96-
// #nosec G304 -- path is validated via LogService.GetLogPath
97-
srcFile, err := os.Open(path)
96+
// #nosec G304 -- path is validated via LogService.GetLogPath which enforces
97+
// filepath.Base equality check and path prefix validation.
98+
srcFile, err := os.Open(path) //nolint:gosec // nosemgrep: go.gin.path-traversal.gin-path-traversal-taint.gin-path-traversal-taint
9899
if err != nil {
99100
if err := tmpFile.Close(); err != nil {
100101
logger.Log().WithError(err).Warn("failed to close temp file")

0 commit comments

Comments
 (0)