fix(dashmate): bump Envoy gateway to 1.35.11 for HTTP/2 DoS (CVE-2026-47774)#3794
Conversation
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
✅ Review complete (commit c2c3347) |
thepastaclaw
left a comment
There was a problem hiding this comment.
Code Review
Targeted CVE-2026-47774 hotfix bumping the default Envoy gateway image and adding a 3.0.2 migration that resets all existing configs. Migration dispatch and test coverage are sound. Two reviewers independently flagged a brittle regex in the new regression test that duplicates a stronger assertion already present in the same test.
🟡 1 suggestion(s) | 💬 1 nitpick(s)
🤖 Prompt for all review comments with AI agents
These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.
In `packages/dashmate/test/unit/config/configFile/migrateConfigFileFactory.spec.js`:
- [SUGGESTION] packages/dashmate/test/unit/config/configFile/migrateConfigFileFactory.spec.js:59-61: Brittle regex on base image will break on future valid Envoy bumps
The regex `/^dashpay\/envoy:1\.(3[5-9]|[4-9]\d)\./` pins the base default to the Envoy 1.35..1.99 range. A legitimate future bump to a 2.x line (or to 1.100+) will fail this test without indicating any security regression. The security intent is already captured by line 82 (`expect(migratedImage).to.not.equal('dashpay/envoy:1.30.2-impr.1')`), which transitively guards the base default since `migratedImage === patchedImage` after the migration runs. Replacing the regex with an explicit assertion that the base default is not the known-vulnerable tag expresses the same invariant without coupling to a specific upstream version range.
| // The base default itself must be on a patched line (>= 1.35), never the | ||
| // vulnerable 1.30.x line — pins the security intent of the fix. | ||
| expect(patchedImage).to.match(/^dashpay\/envoy:1\.(3[5-9]|[4-9]\d)\./); |
There was a problem hiding this comment.
🟡 Suggestion: Brittle regex on base image will break on future valid Envoy bumps
The regex /^dashpay\/envoy:1\.(3[5-9]|[4-9]\d)\./ pins the base default to the Envoy 1.35..1.99 range. A legitimate future bump to a 2.x line (or to 1.100+) will fail this test without indicating any security regression. The security intent is already captured by line 82 (expect(migratedImage).to.not.equal('dashpay/envoy:1.30.2-impr.1')), which transitively guards the base default since migratedImage === patchedImage after the migration runs. Replacing the regex with an explicit assertion that the base default is not the known-vulnerable tag expresses the same invariant without coupling to a specific upstream version range.
| // The base default itself must be on a patched line (>= 1.35), never the | |
| // vulnerable 1.30.x line — pins the security intent of the fix. | |
| expect(patchedImage).to.match(/^dashpay\/envoy:1\.(3[5-9]|[4-9]\d)\./); | |
| // The base default must not stay on the known-vulnerable 1.30.x line. | |
| expect(patchedImage).to.not.equal('dashpay/envoy:1.30.2-impr.1'); |
source: ['claude', 'codex']
There was a problem hiding this comment.
Resolved in this update — Brittle regex on base image will break on future valid Envoy bumps no longer present.
Auto-resolved by the review system based on the latest commit diff. If you believe this was closed in error, reopen the thread.
…-47774) The Platform Gateway runs dashpay/envoy:1.30.2-impr.1 (Envoy 1.30.x), affected by GHSA-22m2-hvr2-xqc8 / CVE-2026-47774 (CVSS 7.5): an unauthenticated HTTP/2 downstream memory-exhaustion DoS — cookie header bytes bypass max_request_headers_kb and HPACK decode amplification expands small encoded headers into large decoded ones. The 1.30 line is EOL; 1.35.11 is the patched line published upstream. - Bump the base config default gateway image to dashpay/envoy:1.35.11-impr.1 (built + published from dashpay/docker-envoy#3; multi-arch, verified to contain Envoy 1.35.11). - Add a 3.0.2 config migration that rewrites only the EOL 1.30.x Envoy image to the patched default, leaving deliberately customised images untouched. No migration above 3.0.0 touched the gateway image, so v3 configs (3.0.0..3.0.1-hotfix.*) would otherwise stay on the vulnerable image. - Update gateway/update docs. Config validated against Envoy 1.35.11 (envoy --mode validate, all conditional branches): loads clean, zero deprecation warnings. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
e080449 to
c2c3347
Compare
thepastaclaw
left a comment
There was a problem hiding this comment.
Code Review
Cumulative incremental review for PR #3794 (CVE-2026-47774 Envoy bump). Prior findings reconciliation: (1) 'Brittle regex on base image' — FIXED (the regex assertion was removed entirely from the test file in commit c2c3347); (2) 'Migration unconditionally overwrites custom gateway images' — FIXED (getConfigFileMigrationsFactory.js:1411-1414 now gates the rewrite on /^dashpay/envoy:1.30./, preserving custom images). New latest-delta finding: the removal also dropped the only regression test that directly exercised the new 3.0.2 conditional — the remaining v0.25.0->latest migration test does not cover it because the fixture image is 1.22.11 and an earlier migration rewrites the gateway image well before the 3.0.2 step runs.
🟡 1 suggestion(s)
1 additional finding(s) omitted (not in diff).
🤖 Prompt for all review comments with AI agents
These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.
In `packages/dashmate/test/unit/config/configFile/migrateConfigFileFactory.spec.js`:
- [SUGGESTION] packages/dashmate/test/unit/config/configFile/migrateConfigFileFactory.spec.js:25-48: New finding (latest delta): 3.0.2 Envoy CVE migration is no longer covered by a regression test
The latest delta (c2c33473) removed the dedicated regression test for the new 3.0.2 migration branch. The remaining `should migrate v0.25.0 config file to the latest one` test does walk through every migration step, but it does not exercise the new conditional at getConfigFileMigrationsFactory.js:1411-1414: the v0.25.0 fixture pins `dashpay/envoy:1.22.11` (src/test/fixtures/getConfigFileDataV0250.js:79), and an earlier migration step rewrites `platform.gateway.docker.image` to the base default well before the 3.0.2 step runs. By the time the 3.0.2 step executes in that test, the `/^dashpay\/envoy:1\.30\./` regex matches nothing, so the new security-relevant branch has zero coverage. Because this PR is a CVE hotfix for already-deployed v3 configs, the rewrite path from a vulnerable 1.30.x image to the patched base default should be pinned by a dedicated test. A version-agnostic test that feeds a config at `configFormatVersion: '3.0.1-hotfix.4'` with `dashpay/envoy:1.30.2-impr.1` and asserts the migrated image equals `base.get('platform.gateway.docker.image')` would pin the behaviour without re-introducing the brittle version-range regex flagged in the previous review.
…custom images The 4.0.0-rc.2 entry added in dashpay#3889 was both unreachable for already- stamped rc.2 configs (migrateConfigFile short-circuits when fromVersion === toVersion) and unconditional: it overwrote every Drive ABCI / rs-dapi image with the current default, clobbering private forks and vendor-patched builds. Re-key the migration at 4.0.0-rc.3 (the next release; same flow as the 3.0.2 Envoy CVE - dashpay#3794 added the migration, dashpay#3796 cut the release) and only rewrite the stale dashmate-shipped tags (dashpay/drive:3, dashpay/rs-dapi:3, including their -dev/-rc series), mirroring the 3.0.2 Envoy CVE migration's predicate style. Custom images are preserved. The migration fires for both 3.0.x -> 4.0.0-rc.x upgrades (the loop runs every migration with key > fromVersion) and 4.0.0-rc.2 -> 4.0.0-rc.3 once a chore(release) bumps the package version. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…custom images The 4.0.0-rc.2 entry added in dashpay#3889 was both unreachable for already- stamped rc.2 configs (migrateConfigFile short-circuits when fromVersion === toVersion) and unconditional: it overwrote every Drive ABCI / rs-dapi image with the current default, clobbering private forks and vendor-patched builds. Re-key the migration at 4.0.0-rc.3 (the next release; same flow as the 3.0.2 Envoy CVE - dashpay#3794 added the migration, dashpay#3796 cut the release) and only rewrite the stale dashmate-shipped tags (dashpay/drive:3, dashpay/rs-dapi:3, including their -dev/-rc series), mirroring the 3.0.2 Envoy CVE migration's predicate style. Custom images are preserved. The migration fires for both 3.0.x -> 4.0.0-rc.x upgrades (the loop runs every migration with key > fromVersion) and 4.0.0-rc.2 -> 4.0.0-rc.3 once a chore(release) bumps the package version. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Issue being fixed or feature implemented
v3 hotfix. The Platform Gateway pins
dashpay/envoy:1.30.2-impr.1(Envoy 1.30.x), affected by GHSA-22m2-hvr2-xqc8 (CVE-2026-47774, CVSS 7.5 High) — an unauthenticated HTTP/2 downstream memory-exhaustion DoS: cookie header bytes bypassmax_request_headers_kb, and HPACK decode amplification expands small encoded headers into large decoded ones. The 1.30 line is EOL (no backport).What was done?
Moved the gateway to the patched
dashpay/envoy:1.35.11-impr.1— the only patched Envoy line published upstream so far, and the smallest jump from 1.30.3.0.2config migration resetting the gateway image to the patched default for existing nodes. No migration above3.0.0touched the gateway image, so v3 configs (3.0.0..3.0.1-hotfix.4) would otherwise stay on the vulnerable 1.30 image.docs/config/gateway.mdanddocs/update.md.The image is already built, published, and verified (multi-arch amd64/arm64, contains Envoy
1.35.11): built from dashpay/docker-envoy#3 via releasev1.35.11-impr.1. So this PR is not blocked on image availability.How Has This Been Tested?
Added a regression test in
migrateConfigFileFactory.spec.jsfor the v3 cohort. Red→green verified via the realmigrateConfigFiledispatch + real base config:Separately, the rendered gateway config was validated against Envoy 1.35.11 (
envoy --mode validate, all conditional branches) — loads clean, zero deprecation warnings.Breaking Changes
None.
Checklist:
For repository code-owners and collaborators only