The APITokenAuthMiddleware allowed bypassing the check if the path included `/healthz`. An attacker only needed to include `/healthz` in the URL, even the querystring, to bypass the API token check, for example `/v1.0/invoke/myapp/method/something?foo=/healthz`.

Additionally, this was not checking the method of the request, so requests to `POST /healthz` would cause a service invocation to happen.

This fixes the issue by making the check a lot more strict. The API token check can be bypassed only if:

- The path is exactly `/v1.0/healthz` or `/v1.0/healthz/outbound` (slashes are trimmed on each side)
- The method is `GET`
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

Fixes CVE-2023-37475
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Adds missing v1.10.8 release notes
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Update release notes and creates a TOC
Signed-off-by: Njoshvanl <me@joshvanl.dev>

---------
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Fix bulk subscribe response
Signed-off-by: NDeepanshu Agarwal <deepanshu.agarwal1984@gmail.com>

* Add Release Note for issue
Signed-off-by: NDeepanshu Agarwal <deepanshu.agarwal1984@gmail.com>

* Correct merge conflict from cherry-picking
Signed-off-by: NDeepanshu Agarwal <deepanshu.agarwal1984@gmail.com>

* Update docs/release_notes/v1.10.8.md
Co-authored-by: NMukundan Sundararajan <65565396+mukundansundar@users.noreply.github.com>
Signed-off-by: NDeepanshu Agarwal <deepanshu.agarwal1984@gmail.com>

* Update docs/release_notes/v1.10.8.md
Co-authored-by: NMukundan Sundararajan <65565396+mukundansundar@users.noreply.github.com>
Signed-off-by: NDeepanshu Agarwal <deepanshu.agarwal1984@gmail.com>

---------
Signed-off-by: NDeepanshu Agarwal <deepanshu.agarwal1984@gmail.com>
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
Co-authored-by: NMukundan Sundararajan <65565396+mukundansundar@users.noreply.github.com>
Co-authored-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
Co-authored-by: NYaron Schneider <schneider.yaron@live.com>
Co-authored-by: NArtur Souza <asouza.pro@gmail.com>

Signed-off-by: NBernd Verst <github@bernd.dev>

* Fixed goroutine leak in reminders and timers



* Added unit tests + some more tweaks



* Fixed last goroutine leaks



* Comments



---------
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
Co-authored-by: NArtur Souza <asouza.pro@gmail.com>
Co-authored-by: NDapr Bot <56698301+dapr-bot@users.noreply.github.com>

Signed-off-by: Nyaron2 <schneider.yaron@live.com>

* Adds ActorReminder bson marshaler to address Mongo problems (#6525)

* Add release notes for MongoDB issue
Signed-off-by: NBernd Verst <github@bernd.dev>

---------
Signed-off-by: NBernd Verst <github@bernd.dev>

* Fix panic in service invocation when connection fails
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

* Added relnotes
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

---------
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
Co-authored-by: NArtur Souza <asouza.pro@gmail.com>

* Components name validation in disk manifest loader
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Include ObjectMeta in type types
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Adds to release notes for v1.10.8
Signed-off-by: Njoshvanl <me@joshvanl.dev>

---------
Signed-off-by: Njoshvanl <me@joshvanl.dev>
Signed-off-by: NArtur Souza <asouza.pro@gmail.com>
Co-authored-by: NArtur Souza <asouza.pro@gmail.com>

* Adds third party URI path normalization, removing segment decoding
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Adds e2e tests to ensure only slashes are normalized. Segments remain
encoded as is.
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Adds copyright headers
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Write back escaped path from echoPath e2e handler
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* linting
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Don't escape path in e2e service invocation app router
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Use correct expected path
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Remove trailing slashes since we use strict slashes in router
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Add 1.10.8 release notes
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Update github.com/dapr/components-contrib from `v1.10.6` to `v1.10.7`
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Update dapr/components-contrib to v1.10.8
Signed-off-by: Njoshvanl <me@joshvanl.dev>

---------
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Use SetPath in nethttpadapter to ensure path fasthttp URI path is
normalized
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Update the release notes for v1.10.7 with fix for HTTP request URL
normalization.
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Update docs/release_notes/v1.10.7.md
Co-authored-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: NJosh van Leeuwen <me@joshvanl.dev>

* Update docs/release_notes/v1.10.7.md
Co-authored-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: NJosh van Leeuwen <me@joshvanl.dev>

* Review comments
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Using // to repro regression in actor invocation.
Signed-off-by: NArtur Souza <asouza.pro@gmail.com>

---------
Signed-off-by: Njoshvanl <me@joshvanl.dev>
Signed-off-by: NJosh van Leeuwen <me@joshvanl.dev>
Signed-off-by: NArtur Souza <asouza.pro@gmail.com>
Co-authored-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
Co-authored-by: NArtur Souza <asouza.pro@gmail.com>

Signed-off-by: NBernd Verst <github@bernd.dev>

Pin contrib 1.10.6 and update release notes

Signed-off-by: NBernd Verst <github@bernd.dev>

* Fix timer and reminder serialization issue on invocation.
Signed-off-by: NArtur Souza <asouza.pro@gmail.com>

* Fix gRPC reminder and timer serialization on top of previous change.
Signed-off-by: NArtur Souza <asouza.pro@gmail.com>

---------
Signed-off-by: NArtur Souza <asouza.pro@gmail.com>

* Unserializing reminder period accepts more null-y values

Fixes dapr/components-contrib#2786 which seems to be due to how MongoDB serializes the null value
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

* Actor timer/reminder responses: marshal data to JSON
Fixes #6268
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

Addressed review feedback
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

💄Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

* Release notes for Dapr v1.10.6
Signed-off-by: NArtur Souza <asouza.pro@gmail.com>

---------
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: NArtur Souza <asouza.pro@gmail.com>
Co-authored-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

Contains some small fixes to actors after recent changes
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

Signed-off-by: Nyaron2 <schneider.yaron@live.com>

Fixes race conditions for the most part (fixes #6018)

Includes improvements to perf:

- Update actor reminders data structures
- Switch data field to be json.RawMessage
- Reduce code duplication & tech debt
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
Co-authored-by: NArtur Souza <asouza.pro@gmail.com>

[release-1.10] Use a single HTTP client for all connections to the app, which supports TLS [Fixes actors not working with app-ssl enabled] (#6159)

* Use a single HTTP client for all connections to the app, which supports TLS

Fixes #6141

This was implemented in a way that:

- Makes health checks work when `app-ssl` is enabled.
- Switches the health package's client to net/http rather than fasthttp. This allows taking advantage of HTTP/2 and multiplexing, among other things.
- Uses a single http.Client for health checks and app channel. This allows re-using TCP sockets and multiplexing when HTTP/2 is enabled
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

* Fixed actors
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

---------
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
Co-authored-by: NArtur Souza <asouza.pro@gmail.com>

* Maintain all HTTP headers with the same name

The HTTP specs allow passing multiple headers with the same name, for example multiple `Set-Cookie` headers. However, for every header, Dapr was only preserving the first value.

This fixes the behavior of Dapr to preserve all HTTP headers, even when more than one have the same name.

Fixes #6104
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

* Update pkg/http/api.go
Signed-off-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>

---------
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
Co-authored-by: NArtur Souza <asouza.pro@gmail.com>

Also incldues two more twekas:

1. Use an exponential backoff when reconnecting to the placement service rather than a linear one
2. Do not print a debug log on every single reconnection attempt, which were very frequent and causing noise
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
Co-authored-by: NMukundan Sundararajan <65565396+mukundansundar@users.noreply.github.com>

* remove temporal from workflows and tests (#6021)
Signed-off-by: Nyaron2 <schneider.yaron@live.com>

* removing wener helm from makefile (#6148)
Signed-off-by: NRyan Lettieri <ryanLettieri@microsoft.com>
Co-authored-by: NRyan Lettieri <ryanLettieri@microsoft.com>

---------
Signed-off-by: Nyaron2 <schneider.yaron@live.com>
Signed-off-by: NRyan Lettieri <ryanLettieri@microsoft.com>
Co-authored-by: NYaron Schneider <schneider.yaron@live.com>
Co-authored-by: NRyan Lettieri <67934986+RyanLettieri@users.noreply.github.com>
Co-authored-by: NRyan Lettieri <ryanLettieri@microsoft.com>

* Stabilize flaky actor unit tests by mocking time (#5613)

* Reduce log verbosity for workflow execution (#5897)
Signed-off-by: NChris Gillum <cgillum@microsoft.com>
Co-authored-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
Co-authored-by: NLoong Dai <long.dai@intel.com>
Co-authored-by: NYaron Schneider <schneider.yaron@live.com>
Co-authored-by: NArtur Souza <asouza.pro@gmail.com>

* Replaces `github.com/benbjohnson/clock` with `k8s.io/utils/clock`. (#6054)

* Replaces `github.com/benbjohnson/clock` with `k8s.io/utils/clock`.
Deflake and speed up `pkg/actors` unit tests.
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Linting
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Add `github.com/benbjohnson/clock` to .golanci.yml list of packages which error
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Remove `t.Parallels()` for individual tests
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Remove `t.Parallel()` completely from tests
Signed-off-by: Njoshvanl <me@joshvanl.dev>

---------
Signed-off-by: Njoshvanl <me@joshvanl.dev>
Co-authored-by: NArtur Souza <asouza.pro@gmail.com>

---------
Signed-off-by: NChris Gillum <cgillum@microsoft.com>
Signed-off-by: Njoshvanl <me@joshvanl.dev>
Co-authored-by: NChris Gillum <cgillum@microsoft.com>
Co-authored-by: NLoong Dai <long.dai@intel.com>
Co-authored-by: NYaron Schneider <schneider.yaron@live.com>
Co-authored-by: NArtur Souza <asouza.pro@gmail.com>
Co-authored-by: NJosh van Leeuwen <me@joshvanl.dev>

* API Allowlist should not impact gRPC proxying

Fixes #6085
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

* Added releae notes
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

* Fixed release notes link
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

---------
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

* fix error message lost issue
Signed-off-by: Nzhangchao <zchao9100@gmail.com>

* fix lint
Signed-off-by: Nzhangchao <zchao9100@gmail.com>

* fix http unit test and grpc error message
Signed-off-by: Nzhangchao <zchao9100@gmail.com>

* add unit test
Signed-off-by: Nzhangchao <zchao9100@gmail.com>

* fix nil check
Signed-off-by: Nzhangchao <zchao9100@gmail.com>

* fix review
Signed-off-by: Nzhangchao <zchao9100@gmail.com>

---------
Signed-off-by: Nzhangchao <zchao9100@gmail.com>
Co-authored-by: NYaron Schneider <schneider.yaron@live.com>

* fix redirect
Signed-off-by: Nzhangchao <zchao9100@gmail.com>

* fix e2e disable test client auto redirect
Signed-off-by: Nzhangchao <zchao9100@gmail.com>

* add release note
Signed-off-by: Nzhangchao <zchao9100@gmail.com>

* Update v1.10.3.md

---------
Signed-off-by: Nzhangchao <zchao9100@gmail.com>
Co-authored-by: NYaron Schneider <schneider.yaron@live.com>

* Updated release notes
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

* Updated pinned components-contrib
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

---------
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

* Add release notes for Dapr 1.10.3
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

* Updating linter to 1.51.2
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

---------
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

* Dapr fails to initialize when a middleware component failes to init
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

* Add tests
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

* Updated per review feedback
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

---------
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

* Use UDS rather than TCP for test server



* Handle EOF errors on the Recv side



---------
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

* Create v1.10.2.md
Signed-off-by: NYaron Schneider <schneider.yaron@live.com>

* Update v1.10.2.md
Signed-off-by: NYaron Schneider <schneider.yaron@live.com>

* Update v1.10.2.md
Signed-off-by: NYaron Schneider <schneider.yaron@live.com>

---------
Signed-off-by: NYaron Schneider <schneider.yaron@live.com>

Cherry-pick #5584 into release-1.10 [DO NOT SQUASH]

1.10 Hotfix: Fix CloudEvent regression