Skip to content

[c-930] use metrics v2 to trace relevant code paths #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dbrajovic wants to merge 12 commits into
base: v1.x-inj
Choose a base branch
from
Open

[c-930] use metrics v2 to trace relevant code paths #10

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
3161698
fix: leftover go mod tidy
dbrajovic Mar 20, 2026
dbaa145
chore: wire up metrics v2
dbrajovic Mar 20, 2026
d0704a8
chore: trace CListMempool
dbrajovic Mar 20, 2026
d633dc6
impl: extend node ctor to accept a metrics meter
dbrajovic Mar 23, 2026
2348fb5
chore: trace CListMempool
dbrajovic Mar 30, 2026
a91a6e6
chore: trace state store
dbrajovic Mar 30, 2026
12c20a0
chore: trace consensus Receive handler
dbrajovic Mar 30, 2026
31ce1d9
chore: trace state sync reactor
dbrajovic Mar 30, 2026
74c0343
chore: trace consensus handleMsg method
dbrajovic Mar 30, 2026
54c7b49
chore: fix test compilation
dbrajovic Mar 31, 2026
813ce3f
fix: set node meter from arg
dbrajovic Mar 31, 2026
ab25bba
fix: use proper ctx for recheckTxs
dbrajovic Mar 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 1 addition & 11 deletions abci/tutorials/abci-v2-forum-app/forum.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,17 +67,7 @@ func main() {
config.PrivValidatorStateFile(),
)

node, err := nm.NewNode(
context.Background(),
config,
pv,
nodeKey,
proxy.NewLocalClientCreator(app),
nm.DefaultGenesisDocProviderFunc(config),
cfg.DefaultDBProvider,
nm.DefaultMetricsProvider(config.Instrumentation),
logger,
)
node, err := nm.NewNode(context.Background(), config, pv, nodeKey, proxy.NewLocalClientCreator(app), nm.DefaultGenesisDocProviderFunc(config), cfg.DefaultDBProvider, nm.DefaultMetricsProvider(config.Instrumentation), logger, nil)

defer func() {
_ = node.Stop()
Expand Down
43 changes: 27 additions & 16 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
module github.com/cometbft/cometbft

go 1.23
toolchain go1.23.7
go 1.23.9

require (
github.com/BurntSushi/toml v1.4.0
Expand Down Expand Up @@ -33,15 +32,16 @@ require (
github.com/snikch/goodman v0.0.0-20171125024755-10e37e294daa
github.com/spf13/cobra v1.9.1
github.com/spf13/viper v1.19.0
github.com/stretchr/testify v1.10.0
golang.org/x/crypto v0.36.0
golang.org/x/net v0.37.0
google.golang.org/grpc v1.71.0
github.com/stretchr/testify v1.11.1
golang.org/x/crypto v0.41.0
golang.org/x/net v0.43.0
google.golang.org/grpc v1.75.0
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

python - <<'PY'
import json
import urllib.request

queries = [
    ("google.golang.org/grpc", "1.75.0"),
    ("go.opentelemetry.io/otel/sdk", "1.38.0"),
]

for pkg, version in queries:
    body = json.dumps({
        "package": {"ecosystem": "Go", "name": pkg},
        "version": version,
    }).encode()
    req = urllib.request.Request(
        "https://api.osv.dev/v1/query",
        data=body,
        headers={"Content-Type": "application/json"},
    )
    with urllib.request.urlopen(req) as resp:
        payload = json.load(resp)
    print(json.dumps({
        "package": pkg,
        "version": version,
        "vulns": payload.get("vulns", []),
    }, indent=2))
PY

Repository: InjectiveLabs/cometbft

Length of output: 2648

🏁 Script executed:

cat go.mod | head -50

Repository: InjectiveLabs/cometbft

Length of output: 1787

🏁 Script executed:

sed -n '38p;141p' go.mod

Repository: InjectiveLabs/cometbft

Length of output: 147

🌐 Web query:

GO-2026-4762 GHSA-p77j-4mvh-x3m3 google.golang.org/grpc authorization bypass

💡 Result:

GO-2026-4762 (GHSA-p77j-4mvh-x3m3, CVE-2026-33186) is a critical authorization bypass vulnerability (CVSS 9.1) in google.golang.org/grpc versions before 1.79.3. The gRPC-Go server accepts HTTP/2 requests with a :path pseudo-header missing the leading slash (e.g., "Service/Method" instead of "/Service/Method"). It routes these to the correct handler, but authorization interceptors (e.g., google.golang.org/grpc/authz) evaluate the raw non-canonical path. Deny rules using canonical paths (with "/") fail to match, allowing bypass if a fallback allow rule exists. Impacts servers using path-based authorization interceptors with deny rules for canonical paths and fallback allows. Attackers send crafted HTTP/2 frames. Fixed in v1.79.3: rejects non-canonical :path with codes.Unimplemented before interceptors. Upgrade to v1.79.3 or later. Mitigate with validating interceptors or default-deny policies.

Citations:

🌐 Web query:

GO-2026-4394 GHSA-9h8m-3fm2-qjrq go.opentelemetry.io/otel PATH hijack RCE

💡 Result:

GO-2026-4394 (GHSA-9h8m-3fm2-qjrq, CVE-2026-24051) is a high-severity vulnerability in the OpenTelemetry Go SDK (go.opentelemetry.io/otel/sdk) enabling arbitrary code execution (RCE) via PATH hijacking on macOS/Darwin systems. Summary: The resource detection code in sdk/resource/host_id.go executes the 'ioreg' system command without an absolute path, relying on the PATH environment variable. An attacker able to modify PATH (local low-priv attacker) can place a malicious executable named 'ioreg' in a directory prioritized in PATH, leading to RCE in the application's context when resource.WithHostID or similar host detection is used. Affected versions: v1.21.0 to v1.39.0 (Go modules all versions in that range). Patched in: v1.40.0 via commit d45961b (uses absolute path for ioreg on macOS). Severity: High (CVSS 7.0: AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). Official sources confirm the issue only affects macOS due to ioreg usage; other platforms use file reads or different safe methods. Mitigation: Upgrade to v1.40.0 or later. Avoid using resource.WithHostID if possible. Do not run in environments where PATH is attacker-controllable.

Citations:

Upgrade the vulnerable dependency pins before merging.

google.golang.org/grpc v1.75.0 contains a critical authorization-bypass vulnerability (GO-2026-4762 / GHSA-p77j-4mvh-x3m3, CVSS 9.1). Servers using path-based authorization interceptors are at risk when HTTP/2 requests with non-canonical :path pseudo-headers bypass deny rules. Upgrade to v1.79.3 or later.

go.opentelemetry.io/otel/sdk v1.38.0 contains a high-severity PATH-hijacking RCE vulnerability (GO-2026-4394 / GHSA-9h8m-3fm2-qjrq, CVSS 7.0) on macOS systems due to unqualified command execution. Upgrade to v1.40.0 or later.

Both versions are now in this diff.

🧰 Tools
🪛 OSV Scanner (2.3.5)

[CRITICAL] 38-38: google.golang.org/grpc 1.75.0: Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc

(GO-2026-4762)

[CRITICAL] 38-38: google.golang.org/grpc 1.75.0: gRPC-Go has an authorization bypass via missing leading slash in :path

(GHSA-p77j-4mvh-x3m3)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 38, Replace the vulnerable module versions in go.mod: bump
google.golang.org/grpc from v1.75.0 to v1.79.3 (or later) and bump
go.opentelemetry.io/otel/sdk from v1.38.0 to v1.40.0 (or later); after updating
the module lines for these symbols, run go mod tidy and re-run tests/build to
ensure dependency graph and imports resolve cleanly.

)

require github.com/syndtr/goleveldb v1.0.1-0.20210819022825-2ae1ddf74ef7

require (
github.com/InjectiveLabs/metrics/v2 v2.0.0-beta.8
github.com/Masterminds/semver/v3 v3.3.1
github.com/go-git/go-git/v5 v5.14.0
github.com/goccmack/goutil v1.2.3
Expand All @@ -51,9 +51,9 @@ require (
github.com/oasisprotocol/curve25519-voi v0.0.0-20220708102147-0a8a51822cae
github.com/supranational/blst v0.3.14
golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8
golang.org/x/sync v0.12.0
gonum.org/v1/gonum v0.15.1
google.golang.org/protobuf v1.36.5
golang.org/x/sync v0.16.0
gonum.org/v1/gonum v0.16.0
google.golang.org/protobuf v1.36.8
)

require (
Expand All @@ -64,6 +64,7 @@ require (
github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect
github.com/ProtonMail/go-crypto v1.1.5 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/cenkalti/backoff/v5 v5.0.3 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/cloudflare/circl v1.6.0 // indirect
github.com/cockroachdb/errors v1.11.3 // indirect
Expand All @@ -85,7 +86,7 @@ require (
github.com/getsentry/sentry-go v0.31.1 // indirect
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
github.com/go-git/go-billy/v5 v5.6.2 // indirect
github.com/go-logr/logr v1.4.2 // indirect
github.com/go-logr/logr v1.4.3 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-sql-driver/mysql v1.7.1 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
Expand All @@ -95,6 +96,7 @@ require (
github.com/google/flatbuffers v25.2.10+incompatible // indirect
github.com/google/go-cmp v0.7.0 // indirect
github.com/gotestyourself/gotestyourself v2.2.0+incompatible // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/imdario/mergo v0.3.15 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
Expand Down Expand Up @@ -131,13 +133,20 @@ require (
github.com/xanzy/ssh-agent v0.3.3 // indirect
go.etcd.io/bbolt v1.4.0 // indirect
go.opentelemetry.io/auto/sdk v1.1.0 // indirect
go.opentelemetry.io/otel v1.34.0 // indirect
go.opentelemetry.io/otel/metric v1.34.0 // indirect
go.opentelemetry.io/otel/trace v1.34.0 // indirect
go.opentelemetry.io/otel v1.38.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 // indirect
go.opentelemetry.io/otel/metric v1.38.0 // indirect
go.opentelemetry.io/otel/sdk v1.38.0 // indirect
go.opentelemetry.io/otel/sdk/metric v1.38.0 // indirect
go.opentelemetry.io/otel/trace v1.38.0 // indirect
go.opentelemetry.io/proto/otlp v1.7.1 // indirect
go.uber.org/multierr v1.11.0 // indirect
golang.org/x/sys v0.31.0 // indirect
golang.org/x/text v0.23.0 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f // indirect
golang.org/x/sys v0.35.0 // indirect
golang.org/x/text v0.28.0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20250825161204-c5933d9347a5 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/warnings.v0 v0.1.2 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
Expand All @@ -152,3 +161,5 @@ retract (
// superseeded by v0.38.3 because of ASA-2024-001
[v0.38.0, v0.38.2]
)

replace github.com/cometbft/cometbft/api => ./api
Loading
Loading