Adreed/10.32.4#3457
Open
adreed-msft wants to merge 13 commits into
Open
Conversation
adreed-msft
requested review from
dphulkar-msft,
seanmcc-msft,
shnayak-msft,
souravgupta-msft,
tanyasethi-msft and
wonwuakpa-msft
as code owners
This was referenced May 11, 2026
Closed
Contributor
There was a problem hiding this comment.
Pull request overview
This PR targets trivy-reported vulnerabilities by updating Go/dependency versions and hardening Linux SDDL parsing/handling to avoid crashes from malformed or malicious security descriptors, along with a version bump and pipeline configuration updates.
Changes:
- Replace panic paths with returned errors when parsing/validating SDDL on Linux, to avoid taking down entire jobs.
- Add overflow-safe range validation in Linux SDDL helper parsing logic and introduce a regression test to prevent crash regressions.
- Update Go/dependency versions and bump AzCopy version, plus adjust 1ES pipeline feature flags.
Reviewed changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
ste/sourceInfoProvider-Local_linux.go |
Removes panic behavior in SDDL conversion/sanity checks and returns errors instead. |
sddl/sddlHelper_linux.go |
Adds overflow-safe range validation for SD offsets to prevent out-of-bounds slicing/crashes. |
sddl/sddlHelper_linux_test.go |
Adds a Linux-only regression test to ensure crafted SDs don’t panic. |
go.mod |
Updates dependency versions and bumps the module Go version. |
go.sum |
Captures new dependency checksums for the updated modules. |
common/version.go |
Bumps AzCopy version to 10.32.4. |
ChangeLog.md |
Adds a new changelog entry describing dependency/vulnerability changes. |
build-1es-pipeline.yaml |
Disables network isolation via 1ES feature flags. |
Comments suppressed due to low confidence (1)
go.mod:103
go.modis updated togo 1.26.3, but the repo's pipelines (e.g.,build-1es-pipeline.yamlandazure-pipelines.yml) still pinAZCOPY_GOLANG_VERSION: '1.25.8'. If CI/build agents use 1.25.8,gowill likely refuse to build a module requiring 1.26.x. Please keep the module Go version and pipeline Go toolchain version in sync (either update the pipeline variables/tasks, or adjust thegodirective as intended).
replace github.com/Azure/azure-sdk-for-go/sdk/storage/azfile => github.com/Azure/azure-sdk-for-go/sdk/storage/azfile v1.5.2-0.20250507070125-9e8eb1f00372
go 1.26.3
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
1129
to
1130
| return "", fmt.Errorf("dacloffset (%d) points outside Security Descriptor of size %d bytes!", | ||
| dacloffset+8, len(sd)) |
Comment on lines
+73
to
+75
| a.Nil(panicked, v.testName, "panicked") | ||
| a.NotNil(err, v.testName, "should have returned an error") | ||
| a.Contains(err.Error(), "must lie within sd", v.testName, "error wasn't as expected") |
Comment on lines
+4
to
+6
| ## Version 10.32.3 | ||
|
|
||
| ### Dependency updates |
Comment on lines
+64
to
+65
| featureFlags: | ||
| disableNetworkIsolation: true |
Closed
Broken in Golang, removed in next major revision anyway.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Covers some trivy vulnerabilities atop 10.32.3