dependabot[bot] opened a new pull request, #13252: URL: https://github.com/apache/apisix/pull/13252
Bumps [github.com/dapr/dapr](https://github.com/dapr/dapr) from 1.6.0 to 1.15.14. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/dapr/dapr/releases";>github.com/dapr/dapr's releases</a>.</em></p> <blockquote> <h2>Dapr Runtime v1.15.14</h2> <h1>Dapr 1.15.14</h1> <p>This update contains a critical security fix:</p> <ul> <li><a href="https://github.com/dapr/dapr/blob/HEAD/#security-service-invocation-path-traversal-bypasses-access-control-policies";>Security: Service invocation path traversal bypasses access control policies</a></li> <li><a href="https://github.com/dapr/dapr/blob/HEAD/#go-update-to-v1259";>Go: Update to v1.25.9</a></li> </ul> <h2>Security: Service invocation path traversal bypasses access control policies</h2> <h3>Problem</h3> <p>Reserved URL characters and path traversal sequences in service invocation method paths could bypass access control policies. An attacker with access to the Dapr HTTP or gRPC API could invoke operations on a target application that the ACL was configured to deny.</p> <h3>Impact</h3> <p>Any deployment using access control policies for service invocation is affected. An attacker who can reach the Dapr API (HTTP or gRPC) could:</p> <ul> <li>Use encoded path traversal (<code>admin%2F..%2Fpublic</code>) to reach an allowed path (<code>/public</code>) while the method started from a denied prefix (<code>/admin</code>).</li> <li>Use encoded fragment (<code>%23</code>) or query (<code>%3F</code>) characters to cause the ACL to evaluate a different path than what was delivered to the target application.</li> <li>Use a bare <code>%</code> to crash the ACL normalization, potentially bypassing the policy entirely.</li> </ul> <p>The gRPC API was the more dangerous vector because gRPC passes the method as a raw string with no client-side URL sanitization — <code>#</code>, <code>?</code>, <code>%</code>, <code>../</code>, and control characters were all delivered literally.</p> <h3>Root Cause</h3> <p>The method path was normalized independently in two places:</p> <ol> <li>The ACL used <code>purell.NormalizeURLString</code> which treated the method as a URL — decoding <code>%XX</code>, resolving <code>../</code>, and stripping <code>#</code> as a fragment delimiter and <code>?</code> as a query delimiter.</li> <li>The dispatch layer (<code>constructRequest</code> for HTTP, gRPC passthrough) used the raw method string.</li> </ol> <p>This created a mismatch: the ACL authorized one path while the target application received a different one. For example, <code>admin%2F..%2Fpublic</code> was normalized by the ACL to <code>public</code> (allowed), but the target application received the raw <code>admin/../public</code>.</p> <h3>Solution</h3> <p>The method path is now normalized at the service invocation edge — in <code>directMessaging.Invoke</code> for HTTP and gRPC public API calls, in <code>callLocalValidateACL</code> for gRPC internal calls, and in the gRPC proxy handler for proxied calls. The normalized form is used for both the ACL check and the outbound dispatch, eliminating the mismatch. The ACL is a pure policy evaluation layer and performs no normalization of its own.</p> <p>For HTTP, Go's <code>net/http</code> server decodes percent-encoding in <code>r.URL.Path</code> before the method is extracted. For gRPC, method strings are raw (no percent-decoding) and are treated as opaque — percent-encoded sequences like <code>%2F</code> are literal characters, not path separators.</p> <p>Normalization uses <code>path.Clean</code> to resolve <code>../</code> and duplicate slashes, and rejects method paths containing <code>#</code>, <code>?</code>, null bytes, or control characters. The <code>purell</code> dependency has been removed from the ACL path.</p> <p>As defense-in-depth, <code>constructRequest</code> in the HTTP channel applies <code>path.Clean</code> to the method before building the outbound URL.</p> <p>Users are strongly encouraged to upgrade to this release.</p> <h2>Go: Update to v1.25.9</h2> <p>Update Go version to cover CVEs in the 1.24 line.</p> <h2>Dapr Runtime v1.15.13</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/dapr/dapr/commit/cb31ff1469888bf153e8b1c29abef373d44b2197";><code>cb31ff1</code></a> [1.15] fix service invocation path traversal ACL bypass (<a href="https://redirect.github.com/dapr/dapr/issues/9802";>#9802</a>)</li> <li><a href="https://github.com/dapr/dapr/commit/ae09be1066fe14add621c8c0b76f3cae882e970c";><code>ae09be1</code></a> Updated components contrib, and added release notes (<a href="https://redirect.github.com/dapr/dapr/issues/9152";>#9152</a>)</li> <li><a href="https://github.com/dapr/dapr/commit/5fa853e1ce13fe0e5e7b6203d4c23ec8a527cfec";><code>5fa853e</code></a> Merge pull request <a href="https://redirect.github.com/dapr/dapr/issues/9145";>#9145</a> from cicoyle/cherrypick-grpc-metadata-1.15</li> <li><a href="https://github.com/dapr/dapr/commit/e0bbaa5893be00c506bec2ef0185d261ddc00d87";><code>e0bbaa5</code></a> cherrypick and fix issues from 1.15 and 1.16 having diff code refactors</li> <li><a href="https://github.com/dapr/dapr/commit/8d5f4c5afa68f4e377fabed8d79c20bcbda14cdf";><code>8d5f4c5</code></a> overwrite incoming token and fix failing test</li> <li><a href="https://github.com/dapr/dapr/commit/0d8349e162ea6883e36e4338609933c3ee8e7519";><code>0d8349e</code></a> read APP_API_TOKEN once, plumb thru both gRPC & HTTP, remove per-request env ...</li> <li><a href="https://github.com/dapr/dapr/commit/2de29d6df094edeba9814cbd9b51602db6b8951a";><code>2de29d6</code></a> use bitnami legacy</li> <li><a href="https://github.com/dapr/dapr/commit/94cfa563b40bd2dab104b4ebdf3a063fd2b10b46";><code>94cfa56</code></a> bump e2e time</li> <li><a href="https://github.com/dapr/dapr/commit/e542ae3f5caf4e1c14d957ace832dcfea982f408";><code>e542ae3</code></a> rm file that is non existent in 1.15 that exists in 1.16</li> <li><a href="https://github.com/dapr/dapr/commit/dd5eb49f81b0bdaab6ff290c1864fe4d6604d952";><code>dd5eb49</code></a> release notes</li> <li>Additional commits viewable in <a href="https://github.com/dapr/dapr/compare/v1.6.0...v1.15.14";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/apache/apisix/network/alerts). </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
