RATATOSKRATATOSK
ログイン

Dapr

v1.16.14Orchestration & Management
2026年4月17日

Critical security fix: path traversal and encoded characters in service invocation method paths could bypass ACL policies entirely. Upgrade immediately if you use access control policies.

  • securityUpgrade immediately if you use Dapr ACL policies

    Any deployment with service invocation access control policies is vulnerable. An attacker with access to the Dapr HTTP or gRPC API can craft method paths that the ACL permits but route to denied endpoints. The gRPC vector is especially dangerous since no client-side sanitization occurs. Upgrade to v1.16.14 now — there is no viable workaround short of removing Dapr API access entirely. After upgrading, audit your ACL policy rules to confirm they match the normalized path forms (resolved ../ and no encoded separators).

  • breakingMethod paths with #, ?, null bytes, or control characters are now rejected

    The fix actively rejects method paths containing fragment (#), query (?), null bytes, or control characters rather than silently normalizing them. If any of your services invoke methods with these characters (unlikely but possible via programmatic gRPC calls), those calls will fail after upgrading. Review your service invocation call sites — especially any that construct method paths dynamically — before rolling this out to production.

主な変更 (5)

  • Path traversal sequences (../), encoded slashes (%2F), fragment (%23), query (%3F), and bare % in method paths could all bypass ACL policy checks
  • gRPC was the higher-risk vector — method strings are passed raw with no client-side sanitization, making all special characters exploitable
  • Root cause was a normalization mismatch: ACL evaluated a decoded/cleaned path while the target app received the raw original string
  • Fix applies path.Clean normalization at the invocation edge (before both ACL check and dispatch), and now rejects methods containing #, ?, null bytes, or control characters
  • The purell library has been removed from the ACL path; gRPC treats percent-encoded sequences as opaque literal characters, not path separators