[PATCH] CLEANUP: Consistently `unsigned int` for bitfields
see 6a0dd733906611dea958cf74b9f51bb16028ae20 Found using GitHub's CodeQL scan. --- include/haproxy/stick_table-t.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/haproxy/stick_table-t.h b/include/haproxy/stick_table-t.h index 3b1f2b3ef..133f992b5 100644 --- a/include/haproxy/stick_table-t.h +++ b/include/haproxy/stick_table-t.h @@ -125,8 +125,8 @@ struct stktable_data_type { const char *name; /* name of the data type */ int std_type; /* standard type we can use for this data, STD_T_* */ int arg_type; /* type of optional argument, ARG_T_* */ - int is_array:1; /* this is an array of gpc/gpt */ - int is_local:1; /* this is local only and never learned */ + unsigned int is_array:1; /* this is an array of gpc/gpt */ + unsigned int is_local:1; /* this is local only and never learned */ }; /* stick table keyword type */ -- 2.33.0
[PATCH 1/2] CI: Add `permissions` to GitHub Actions
This change locks down the permissions of the access token in GitHub Actions to only allow reading the repository contents and nothing else. see https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token --- .github/workflows/codespell.yml| 3 +++ .github/workflows/compliance.yml | 3 +++ .github/workflows/contrib.yml | 3 +++ .github/workflows/coverity.yml | 3 +++ .github/workflows/musl.yml | 3 +++ .github/workflows/openssl-nodeprecated.yml | 3 +++ .github/workflows/vtest.yml| 3 +++ .github/workflows/windows.yml | 3 +++ 8 files changed, 24 insertions(+) diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index de49f4343..61edaeb9e 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -4,6 +4,9 @@ on: schedule: - cron: "0 0 * * 2" +permissions: + contents: read + jobs: codespell: diff --git a/.github/workflows/compliance.yml b/.github/workflows/compliance.yml index 9f2bec289..fe6c2711e 100644 --- a/.github/workflows/compliance.yml +++ b/.github/workflows/compliance.yml @@ -5,6 +5,9 @@ on: schedule: - cron: "0 0 * * 3" +permissions: + contents: read + jobs: h2spec: name: h2spec diff --git a/.github/workflows/contrib.yml b/.github/workflows/contrib.yml index 53f6025ca..93387a458 100644 --- a/.github/workflows/contrib.yml +++ b/.github/workflows/contrib.yml @@ -3,6 +3,9 @@ name: Contrib on: push: +permissions: + contents: read + jobs: build: diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index fd5a0e2d2..b3dd5ec52 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -9,6 +9,9 @@ on: schedule: - cron: "0 0 * * *" +permissions: + contents: read + jobs: scan: runs-on: ubuntu-latest diff --git a/.github/workflows/musl.yml b/.github/workflows/musl.yml index 8f6922486..19d82af7c 100644 --- a/.github/workflows/musl.yml +++ b/.github/workflows/musl.yml @@ -2,6 +2,9 @@ name: alpine/musl on: [push] +permissions: + contents: read + jobs: musl: name: gcc diff --git a/.github/workflows/openssl-nodeprecated.yml b/.github/workflows/openssl-nodeprecated.yml index 6833911e4..f6da38234 100644 --- a/.github/workflows/openssl-nodeprecated.yml +++ b/.github/workflows/openssl-nodeprecated.yml @@ -14,6 +14,9 @@ on: schedule: - cron: "0 0 * * 4" +permissions: + contents: read + jobs: test: diff --git a/.github/workflows/vtest.yml b/.github/workflows/vtest.yml index 1dc216eeb..4cdbdce5b 100644 --- a/.github/workflows/vtest.yml +++ b/.github/workflows/vtest.yml @@ -11,6 +11,9 @@ name: VTest on: push: +permissions: + contents: read + jobs: # The generate-matrix job generates the build matrix using JSON output # generated by .github/matrix.py. diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index b5a198aff..42bb4e8c9 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -11,6 +11,9 @@ name: Windows on: push: +permissions: + contents: read + jobs: msys2: name: ${{ matrix.name }} -- 2.33.0
[PATCH 2/2] CI: Clean up formatting in GitHub Action definitions
This patch cleans up the formatting within the .yml definition files for GitHub Actions to ensure a consistent look across all actions. --- .github/workflows/codespell.yml| 15 +++--- .github/workflows/compliance.yml | 2 +- .github/workflows/contrib.yml | 2 - .github/workflows/musl.yml | 57 +++--- .github/workflows/openssl-nodeprecated.yml | 10 ++-- 5 files changed, 43 insertions(+), 43 deletions(-) diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index 61edaeb9e..955560a0a 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -1,4 +1,4 @@ -name: codespell +name: Spelling Check on: schedule: @@ -9,12 +9,15 @@ permissions: jobs: codespell: - runs-on: ubuntu-latest - steps: - uses: actions/checkout@v2 -- name: install prerequisites +- name: Install codespell run: sudo pip install codespell -- name: check - run: codespell -c -q 2 --ignore-words-list ist,ists,hist,wan,ca,cas,que,ans,te,nd,referer,ot,uint,iif,fo,keep-alives,dosen --skip="CHANGELOG,Makefile,*.fig,*.pem" +- name: Run codespell + run: | +codespell \ + -c \ + -q 2 \ + --ignore-words-list ist,ists,hist,wan,ca,cas,que,ans,te,nd,referer,ot,uint,iif,fo,keep-alives,dosen \ + --skip="CHANGELOG,Makefile,*.fig,*.pem" diff --git a/.github/workflows/compliance.yml b/.github/workflows/compliance.yml index fe6c2711e..3ce717805 100644 --- a/.github/workflows/compliance.yml +++ b/.github/workflows/compliance.yml @@ -3,7 +3,7 @@ name: Spec Compliance on: schedule: -- cron: "0 0 * * 3" + - cron: "0 0 * * 3" permissions: contents: read diff --git a/.github/workflows/contrib.yml b/.github/workflows/contrib.yml index 93387a458..480f61be8 100644 --- a/.github/workflows/contrib.yml +++ b/.github/workflows/contrib.yml @@ -8,9 +8,7 @@ permissions: jobs: build: - runs-on: ubuntu-latest - steps: - uses: actions/checkout@v2 - name: Compile admin/halog/halog diff --git a/.github/workflows/musl.yml b/.github/workflows/musl.yml index 19d82af7c..c106b1d05 100644 --- a/.github/workflows/musl.yml +++ b/.github/workflows/musl.yml @@ -1,6 +1,7 @@ name: alpine/musl -on: [push] +on: + push: permissions: contents: read @@ -12,30 +13,30 @@ jobs: container: image: alpine:latest steps: -- uses: actions/checkout@master -- name: Install dependencies - run: apk add gcc make tar git python3 libc-dev linux-headers pcre-dev pcre2-dev openssl-dev lua5.3-dev grep socat curl -- name: Install VTest - run: scripts/build-vtest.sh -- name: Build - run: make -j$(nproc) CC=cc V=1 TARGET=linux-musl USE_LUA=1 LUA_INC=/usr/include/lua5.3 LUA_LIB=/usr/lib/lua5.3 USE_OPENSSL=1 USE_PCRE2=1 USE_PCRE2_JIT=1 USE_PROMEX=1 -- name: Show version - run: ./haproxy -vv -- name: Show linked libraries - run: ldd haproxy -- name: Install problem matcher for VTest - # This allows one to more easily see which tests fail. - run: echo "::add-matcher::.github/vtest.json" -- name: Run VTest - id: vtest - run: make reg-tests VTEST_PROGRAM=../vtest/vtest REGTESTS_TYPES=default,bug,devel -- name: Show results - if: ${{ failure() }} - run: | -for folder in /tmp/haregtests-*/vtc.*; do - printf "::group::" - cat $folder/INFO - cat $folder/LOG - echo "::endgroup::" -done -shopt -s nullglob + - uses: actions/checkout@master + - name: Install dependencies +run: apk add gcc make tar git python3 libc-dev linux-headers pcre-dev pcre2-dev openssl-dev lua5.3-dev grep socat curl + - name: Install VTest +run: scripts/build-vtest.sh + - name: Build +run: make -j$(nproc) CC=cc V=1 TARGET=linux-musl USE_LUA=1 LUA_INC=/usr/include/lua5.3 LUA_LIB=/usr/lib/lua5.3 USE_OPENSSL=1 USE_PCRE2=1 USE_PCRE2_JIT=1 USE_PROMEX=1 + - name: Show version +run: ./haproxy -vv + - name: Show linked libraries +run: ldd haproxy + - name: Install problem matcher for VTest +# This allows one to more easily see which tests fail. +run: echo "::add-matcher::.github/vtest.json" + - name: Run VTest +id: vtest +run: make reg-tests VTEST_PROGRAM=../vtest/vtest REGTESTS_TYPES=default,bug,devel + - name: Show results +if: ${{ failure() }} +run: | + for folder in /tmp/haregtests-*/vtc.*; do +printf "::group::" +cat $folder/INFO +cat $folder/LOG +echo "::endgroup::" + done + shopt -s nullglob diff --git a/.github/workflows/openssl-nodeprecated.yml b/.github/workflows/openssl-nodeprecated.yml index
[PATCH 1/2] DEV: coccinelle: Add strcmp.cocci
see e5ff14100aceba70714a2d8549ee7621ffc2701e --- dev/coccinelle/strcmp.cocci | 309 1 file changed, 309 insertions(+) create mode 100644 dev/coccinelle/strcmp.cocci diff --git a/dev/coccinelle/strcmp.cocci b/dev/coccinelle/strcmp.cocci new file mode 100644 index 0..f6064bffb --- /dev/null +++ b/dev/coccinelle/strcmp.cocci @@ -0,0 +1,309 @@ +@@ +statement S; +expression E; +expression F; +@@ + + if ( +( +dns_hostname_cmp +| +eb_memcmp +| +memcmp +| +strcasecmp +| +strcmp +| +strncasecmp +| +strncmp +) +- (E, F) ++ (E, F) != 0 + ) +( + S +| + { ... } +) + +@@ +statement S; +expression E; +expression F; +@@ + + if ( +- ! +( +dns_hostname_cmp +| +eb_memcmp +| +memcmp +| +strcasecmp +| +strcmp +| +strncasecmp +| +strncmp +) +- (E, F) ++ (E, F) == 0 + ) +( + S +| + { ... } +) + +@@ +expression E; +expression F; +expression G; +@@ + +( +G && +( +dns_hostname_cmp +| +eb_memcmp +| +memcmp +| +strcasecmp +| +strcmp +| +strncasecmp +| +strncmp +) +- (E, F) ++ (E, F) != 0 +) + +@@ +expression E; +expression F; +expression G; +@@ + +( +G || +( +dns_hostname_cmp +| +eb_memcmp +| +memcmp +| +strcasecmp +| +strcmp +| +strncasecmp +| +strncmp +) +- (E, F) ++ (E, F) != 0 +) + +@@ +expression E; +expression F; +expression G; +@@ + +( +( +dns_hostname_cmp +| +eb_memcmp +| +memcmp +| +strcasecmp +| +strcmp +| +strncasecmp +| +strncmp +) +- (E, F) ++ (E, F) != 0 +&& G +) + +@@ +expression E; +expression F; +expression G; +@@ + +( +( +dns_hostname_cmp +| +eb_memcmp +| +memcmp +| +strcasecmp +| +strcmp +| +strncasecmp +| +strncmp +) +- (E, F) ++ (E, F) != 0 +|| G +) + +@@ +expression E; +expression F; +expression G; +@@ + +( +G && +- ! +( +dns_hostname_cmp +| +eb_memcmp +| +memcmp +| +strcasecmp +| +strcmp +| +strncasecmp +| +strncmp +) +- (E, F) ++ (E, F) == 0 +) + +@@ +expression E; +expression F; +expression G; +@@ + +( +G || +- ! +( +dns_hostname_cmp +| +eb_memcmp +| +memcmp +| +strcasecmp +| +strcmp +| +strncasecmp +| +strncmp +) +- (E, F) ++ (E, F) == 0 +) + +@@ +expression E; +expression F; +expression G; +@@ + +( +- ! +( +dns_hostname_cmp +| +eb_memcmp +| +memcmp +| +strcasecmp +| +strcmp +| +strncasecmp +| +strncmp +) +- (E, F) ++ (E, F) == 0 +&& G +) + +@@ +expression E; +expression F; +expression G; +@@ + +( +- ! +( +dns_hostname_cmp +| +eb_memcmp +| +memcmp +| +strcasecmp +| +strcmp +| +strncasecmp +| +strncmp +) +- (E, F) ++ (E, F) == 0 +|| G +) + +@@ +expression E; +expression F; +expression G; +@@ + +( +- ! +( +dns_hostname_cmp +| +eb_memcmp +| +memcmp +| +strcasecmp +| +strcmp +| +strncasecmp +| +strncmp +) +- (E, F) ++ (E, F) == 0 +) -- 2.33.0
[PATCH 2/2] CLEANUP: Apply strcmp.cocci
This fixes the use of the various *cmp functions to use != 0 or == 0. --- src/cfgparse.c | 2 +- src/cli.c | 4 ++-- src/server.c | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/cfgparse.c b/src/cfgparse.c index f013928f6..892170284 100644 --- a/src/cfgparse.c +++ b/src/cfgparse.c @@ -1536,7 +1536,7 @@ static void check_section_position(char *section_name, const char *file, int linenum, int *non_global_parsed) { - if (!strcmp(section_name, "global")) { + if (strcmp(section_name, "global") == 0) { if (*non_global_parsed == 1) _ha_diag_warning("parsing [%s:%d] : global section detected after a non-global one, the prevalence of their statements is unspecified\n", file, linenum); } diff --git a/src/cli.c b/src/cli.c index a3ee4c442..6a46f138c 100644 --- a/src/cli.c +++ b/src/cli.c @@ -1714,11 +1714,11 @@ static int cli_parse_expert_experimental_mode(char **args, char *payload, struct if (!cli_has_level(appctx, ACCESS_LVL_ADMIN)) return 1; - if (!strcmp(args[0], "expert-mode")) { + if (strcmp(args[0], "expert-mode") == 0) { level = ACCESS_EXPERT; level_str = "expert-mode"; } - else if (!strcmp(args[0], "experimental-mode")) { + else if (strcmp(args[0], "experimental-mode") == 0) { level = ACCESS_EXPERIMENTAL; level_str = "experimental-mode"; } diff --git a/src/server.c b/src/server.c index b8908cefa..15c4d0536 100644 --- a/src/server.c +++ b/src/server.c @@ -4681,7 +4681,7 @@ static int cli_parse_add_server(char **args, char *payload, struct appctx *appct while (1) { /* check for duplicate server */ - if (!strcmp(srv->id, next->id)) { + if (strcmp(srv->id, next->id) == 0) { ha_alert("Already exists a server with the same name in backend.\n"); goto out; } -- 2.33.0
[ANNOUNCE] haproxy-2.5-dev10
Hi, HAProxy 2.5-dev10 was released on 2021/10/16. It added 75 new commits after version 2.5-dev9. The smoke is progressively being blown away and we're starting to see clearer what final 2.5 will look like. In completely random order, here are the main changes I noticed in this release: - some fixes for OpenSSL 3.0.0 support from Rémi and William; regression tests were fixed as well and the version in the CI was upgraded from alpha17 to 3.0.0 - Rémi's JWT patches were merged. Now it becomes possible to decode JWT tokens and check their integrity. There are still a few pending patches for it but they're essentially cosmetic, so the code is expected to be already operational. Those who've been waiting for this are strongly invited to give it a try so that any required change has a chance to be merged before 2.5. Alex ? - Christopher merged his series that allows to place tcp-request and http-request rules in named "defaults" sections and have them processed first by frontends and backends that explicitly depend on them. This finally allows to merge infrastructure rules in defaults sections while keeping section-specific rules in frontend/backend sections. The long-term goal is to ease the creation of fully functional backends on the fly in the future. It was much trickier than initially imagined due to arguemnts of sample fetches and converters that are context-dependent (e.g. current proxy name). All envisioned corner cases were addressed but that doesn't mean that it's 100% problem-free yet. However I asked Christopher to merge it now to help collect more feedback on configs that are not trivial to think about. So if your config repeats many identical tcp/http rules in their frontends or backends, you may be interested in giving this a try, and we're interested in knowing if you faced any error that makes it impossible for you to express a config that you'd consider simple. - the first part of Björn's MPTCP patches was merged. This part deals with the formatting of socket errors and warnings so that the whole list of warnings can be reported instead of only the last one. - I merged the patches adding the "shards" option to the "bind" lines. It replicates the listeners the specified number of times and distributes them among the number of threads. This can be useful on workloads involving a high connection rate on large thread numbers, when the kernel-side CPU load becomes high due to the close() syscall locking the pollers. By spreading the activity over multiple sockets, this contention reduces a lot. This will later be reused with the thread groups when trying to bind some listeners on more than 64 threads. - improved error reporting (e.g. bind errors about MSS/interfaces), and troubleshooting (file, line number and names for active filters and rules in "show sess all"). - William added a new config predicate "ssllib_name_startswith" to detect the type of SSL library in "-cc" rules. - some doc rearragement for long lists of rules - another batch of H3/QUIC cleanups and fixes - new regression tests were written (I'm seeing 162 being executed right now). - usual small batch of bug fixes There are still a number of things I've collected during this week: - some config predicates are not documented (openssl_version_atleast, openssl_version_before, ssllib_name_startswith) - a number of cleanup patches were posted on the list but not reviewed yet (at first glance they all look right) - there are at least two issues left on the resolvers code that affect 2.4 as well. One of them is a random crash that I could only verify that it depends on a use-after-free that I couldn't spot yet. I'm getting closer but not there yet :-( The other one is a remaining code path with extreme complexity that runs under a global lock and manages to trigger the watchdog when used with many threads and many servers. Some improvements were made, and we have some ideas about how to go much farther (replacing the last-level list with a tree, and splitting the single lock in two to still allow some parallelism). - some TLS issues were reported at least since 2.4, causing more renegotiations than needed because the session cache is not always updated. Emeric and William started to find some problems when trying to reproduce but further investigation is still ongoing. - there are still many issues on github and I'd like that we prioritize them over code. Most of them affect versions before 2.4 so they are not last-minute regressions, but until we have an idea how they'll have to be fixed, it's still not too late to make significant changes if that helps releasing 2.5 in a cleaner state. Please find the usual URLs below : Site index : http://www.haproxy.org/ Discourse