Comments (6)
The receive side does not go through metadata.Validate codepath. This happens only on the send side. Which means we do not error if the server receives a header with characters outside the ASCII range.
I double checked this ^^ using this test https://github.com/arvindbr8/grpc-go/blob/7cb635a70fcfc8dc6cf71c71554ff8cac4326568/test/end2end_test.go#L922
a workaround for grpc users has been pushed
Curious to know what the workaround here is
from grpc-go.
Hmm, in that case that sounds like an argo bug indeed.
That means that the bug is fundamentally caused by the argo cd devs copying the http request they receive verbatim and retransmetting it via grpc.
I'm terribly sorry about the misunderstanding, their sources were a little hard to read, but I did manage to follow the trail all the way to the abovementioned line.
Given this, I'll bring it back up with them.
Curious to know what the workaround here is.
Tailscale will mime-qencode non-us-ascii header values.
This means that even services like argo that blindly copy over the http request will now work with it.
You can find the details in the mentioned issue: tailscale/tailscale#11603
from grpc-go.
A very common triggering scenario are ingress nodes adding additional metadata for downstream services.
For example, X-GeoIP-City and tailscale-user-name.
An example downstream bug caused by this is argoproj/argo-workflows#12721.
from grpc-go.
@CosmicToast It would help us if you let us know where is the call failing, is this on the send or the receive side?
Also per our spec, gRPC restrictions on the header values are more strict than of the HTTP spec. gRPC-go right now throws an error, while we should be ignoring and throwing away the header key-value.
However, there isnt a possibility of transmitting the value through the gRPC service.
from grpc-go.
It would help us if you let us know where is the call failing, is this on the send or the receive side?
It's the receive side.
The pipeline looks something like this:
- The sender makes a gRPC request over HTTP (either 1.1 and 2).
- This call is intercepted by a reverse proxy. This is for authentication and common reverse proxy use-cases. The vast majority of internet traffic goes through one, but enterprise environments tend to add headers...
- The reverse-proxy adds some headers for downstream consumers to optionally use. In my case, it's tailscale adding
tailscale-user-name
. In the linked bug case, it's nginx adding X-GeoIP-City. - The message continues on to the receiver (in my case, argo workflows server), at which point it is rejected since a header contains a character from Latin Extended 1.
Also per our spec, gRPC restrictions on the header values are more strict than of the HTTP spec. gRPC-go right now throws an error, while we should be ignoring and throwing away the header key-value.
I agree!
That's my desired resolution.
Specifically, https://github.com/Patrick0308/grpc-go/blob/master/internal/metadata/metadata.go#L104 should not return an error but drop the header in question.
However, there isnt a possibility of transmitting the value through the gRPC service.
I'm not entirely sure what you mean in this respect.
Could you clarify your comment a little?
It seems to imply that the abovementioned scenario cannot possibly happen, but it quite clearly does.
from grpc-go.
As an update, tailscale should no longer be affected (a workaround for grpc users has been pushed).
This will continue to affect nginx users with x-geoip-city and similar headers, so I'm leaving this open for now.
If there's a definitive fix on that end as well then this can probably just be closed.
from grpc-go.
Related Issues (20)
- stubserver: add support to optionally pass in a `grpc.Server` or `xds.GRPCServer` HOT 2
- Github Action: Codecov action is broken and is failing silently HOT 1
- Upgrade to using math/rand/v2 to get perf enhancements HOT 2
- xds: tests shouldn't rely on the presence of an entry in the `authorities` field of the bootstrap configuration with an empty key
- Experimental API related to metadata HOT 4
- Linter rule for using context.Background() without a timeout in tests HOT 4
- gRPC is incompatible with tls.Listener HOT 2
- Closing connection takes up to 15 minutes. HOT 5
- Feature Request: expose handleRawConn or add ServeConn HOT 26
- Flaky test: TimerAndWatchStateOnErrorCallback HOT 4
- xds: bootstrap config is not emitted to logs in a human readable way
- Strongly-type request inside a Stream Server Interceptor HOT 2
- Proxy connection buffer necessary? HOT 1
- Why does grpc.NewClient silently ignore DialOptions? HOT 2
- Make transport.SetConnection public? HOT 4
- what's the default max data size
- If a priority contains multiple localities with pick_first, load is reported incorrectly HOT 4
- NewClient doesn't work with WithContextDialer HOT 2
- xds: make the bootstrap configuration a singleton
- protoc gen adds comment, does not follow godoc. HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from grpc-go.