The APITokenAuthMiddleware allowed bypassing the check if the path included `/healthz`. An attacker only needed to include `/healthz` in the URL, even the querystring, to bypass the API token check, for example `/v1.0/invoke/myapp/method/something?foo=/healthz`.

Additionally, this was not checking the method of the request, so requests to `POST /healthz` would cause a service invocation to happen.

This fixes the issue by making the check a lot more strict. The API token check can be bypassed only if:

- The path is exactly `/v1.0/healthz` or `/v1.0/healthz/outbound` (slashes are trimmed on each side)
- The method is `GET`
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

Signed-off-by: NBernd Verst <github@bernd.dev>

* Release notes for avro
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

* Upgraded components-contrib
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

---------
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

* Fixed: race conditions in gRPC Configuration Subscribe API (#6558)
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
Co-authored-by: NDapr Bot <56698301+dapr-bot@users.noreply.github.com>
Co-authored-by: NYaron Schneider <schneider.yaron@live.com>
Co-authored-by: NArtur Souza <asouza.pro@gmail.com>
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

* [Workflow] Fix unbounded history batch save issue (#6618)

* Workflow: Fix struct pointer issue resulting in miscounting history records
Signed-off-by: NChris Gillum <cgillum@microsoft.com>

* Update wf state unit tests to account for new custom status optimization
Signed-off-by: NChris Gillum <cgillum@microsoft.com>

---------
Signed-off-by: NChris Gillum <cgillum@microsoft.com>

* Update DurableTask-Go to fix issues with workflows hanging (#6659)
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

* Added release notes
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

* Backport changes to Azure tests to make them work again in the release-1.11 branch
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
#6488

---------
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: NChris Gillum <cgillum@microsoft.com>
Co-authored-by: NDapr Bot <56698301+dapr-bot@users.noreply.github.com>
Co-authored-by: NYaron Schneider <schneider.yaron@live.com>
Co-authored-by: NArtur Souza <asouza.pro@gmail.com>
Co-authored-by: NChris Gillum <cgillum@microsoft.com>

Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

* Pin contrib v1.11.3, add docs for RabbitMQ memory leak
Signed-off-by: NBernd Verst <github@bernd.dev>

* Replace unlicensed indirect dependencies
Signed-off-by: NBernd Verst <github@bernd.dev>

* Update v1.11.1.md

* Update v1.11.1.md

---------
Signed-off-by: NBernd Verst <github@bernd.dev>
Co-authored-by: NArtur Souza <asouza.pro@gmail.com>

Signed-off-by: Njoshvanl <me@joshvanl.dev>

Signed-off-by: NYaron Schneider <schneider.yaron@live.com>

* Adds v1.11.1.md release notes
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Update docs/release_notes/v1.11.1.md
Co-authored-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: NYaron Schneider <schneider.yaron@live.com>

* Update docs/release_notes/v1.11.1.md
Co-authored-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: NJosh van Leeuwen <me@joshvanl.dev>

* Update docs/release_notes/v1.11.1.md
Co-authored-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: NJosh van Leeuwen <me@joshvanl.dev>

* Update docs/release_notes/v1.11.1.md
Co-authored-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: NJosh van Leeuwen <me@joshvanl.dev>

* Update docs/release_notes/v1.11.1.md
Co-authored-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: NJosh van Leeuwen <me@joshvanl.dev>

* Update docs/release_notes/v1.11.1.md
Co-authored-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: NJosh van Leeuwen <me@joshvanl.dev>

* Update docs/release_notes/v1.11.1.md
Co-authored-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: NJosh van Leeuwen <me@joshvanl.dev>

* Update docs/release_notes/v1.11.1.md
Co-authored-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: NJosh van Leeuwen <me@joshvanl.dev>

* Update docs/release_notes/v1.11.1.md
Co-authored-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: NJosh van Leeuwen <me@joshvanl.dev>

* Update docs/release_notes/v1.11.1.md
Co-authored-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: NJosh van Leeuwen <me@joshvanl.dev>

* Update docs/release_notes/v1.11.1.md
Co-authored-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: NJosh van Leeuwen <me@joshvanl.dev>

* Update docs/release_notes/v1.11.1.md
Co-authored-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: NJosh van Leeuwen <me@joshvanl.dev>

* Update docs/release_notes/v1.11.1.md
Co-authored-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: NJosh van Leeuwen <me@joshvanl.dev>

* Update docs/release_notes/v1.11.1.md
Co-authored-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: NJosh van Leeuwen <me@joshvanl.dev>

* Update docs/release_notes/v1.11.1.md
Co-authored-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: NJosh van Leeuwen <me@joshvanl.dev>

* Update docs/release_notes/v1.11.1.md
Co-authored-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: NJosh van Leeuwen <me@joshvanl.dev>

* Update docs/release_notes/v1.11.1.md
Co-authored-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: NJosh van Leeuwen <me@joshvanl.dev>

* Update docs/release_notes/v1.11.1.md
Co-authored-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: NJosh van Leeuwen <me@joshvanl.dev>

* Update docs/release_notes/v1.11.1.md
Co-authored-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: NJosh van Leeuwen <me@joshvanl.dev>

* Update docs/release_notes/v1.11.1.md
Co-authored-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: NJosh van Leeuwen <me@joshvanl.dev>

* Adds TOC to release notes v1.11.1.md
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Fix copy paste error
Signed-off-by: Njoshvanl <me@joshvanl.dev>

---------
Signed-off-by: Njoshvanl <me@joshvanl.dev>
Signed-off-by: NYaron Schneider <schneider.yaron@live.com>
Signed-off-by: NJosh van Leeuwen <me@joshvanl.dev>
Co-authored-by: NYaron Schneider <schneider.yaron@live.com>
Co-authored-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
Co-authored-by: NArtur Souza <asouza.pro@gmail.com>

* remove app port requirement for http channel
Signed-off-by: Nyaron2 <schneider.yaron@live.com>

* prettify error message
Signed-off-by: Nyaron2 <schneider.yaron@live.com>

---------
Signed-off-by: Nyaron2 <schneider.yaron@live.com>

Signed-off-by: NBernd Verst <github@bernd.dev>

Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
Co-authored-by: NArtur Souza <asouza.pro@gmail.com>

* Fixed goroutine leak in reminders and timers



* Added unit tests + some more tweaks



* Fixed last goroutine leaks



* Comments



---------
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>
Co-authored-by: NArtur Souza <asouza.pro@gmail.com>
Co-authored-by: NDapr Bot <56698301+dapr-bot@users.noreply.github.com>

Signed-off-by: Nyaron2 <schneider.yaron@live.com>

[Release 1.11] Pin contrib 1.11.1-rc.1, Update retracted dependency, add CI check for retracted dependencies (#6452)

* Add retracted dep check and upgrade retracted bluemonday version
Signed-off-by: NBernd Verst <github@bernd.dev>

* Pin contrib 1.11.1-rc.1
Signed-off-by: NBernd Verst <github@bernd.dev>

---------
Signed-off-by: NBernd Verst <github@bernd.dev>

Signed-off-by: NYaron Schneider <schneider.yaron@live.com>

* Ensure parts is longer than 5. Components name validation
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Include ObjectMeta in type types
Signed-off-by: Njoshvanl <me@joshvanl.dev>

---------
Signed-off-by: Njoshvanl <me@joshvanl.dev>
Co-authored-by: NArtur Souza <asouza.pro@gmail.com>

Fixes error reported by user on Discord: https://discord.com/channels/778680217417809931/1055270900125138975/1109309802435321896Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

* Update release notes
Signed-off-by: NShubham Sharma <shubhash@microsoft.com>

* Add win deprecation notice
Signed-off-by: NShubham Sharma <shubhash@microsoft.com>

---------
Signed-off-by: NShubham Sharma <shubhash@microsoft.com>
Co-authored-by: NYaron Schneider <schneider.yaron@live.com>

Signed-off-by: NYaron Schneider <schneider.yaron@live.com>

Signed-off-by: NShubham Sharma <shubhash@microsoft.com>

Signed-off-by: NArtur Souza <asouza.pro@gmail.com>

Fix latest manifest tag

Signed-off-by: NArtur Souza <asouza.pro@gmail.com>

Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

Update release notes from autogen script.



last changed at Jun 6, 2023 6:24 PM, pushed by Artur Souza



last changed at Jun 8, 2023 9:40 AM, pushed by Artur Souza



last changed at Jun 8, 2023 9:40 AM, pushed by Artur Souza



last changed at Jun 8, 2023 9:40 AM, pushed by Artur Souza



last changed at Jun 8, 2023 12:52 PM, pushed by Artur Souza



last changed at Jun 8, 2023 2:37 PM, pushed by Artur Souza
Signed-off-by: NArtur Souza <asouza.pro@gmail.com>

Signed-off-by: NArtur Souza <asouza.pro@gmail.com>

Signed-off-by: NArtur Souza <asouza.pro@gmail.com>

* [Workflow] Add workflow generation to activity actor IDs

This change ensures uniqueness for activity invocations across
multiple workflow generations. This change will prevent actor
deadlocks caused by multiple workflow generations that schedule
concurrently executing activities with the same task ID.
Signed-off-by: NChris Gillum <cgillum@microsoft.com>

* Fix typos in comment
Co-authored-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>
Signed-off-by: NChris Gillum <cgillum@gmail.com>
Signed-off-by: NChris Gillum <cgillum@microsoft.com>

---------
Signed-off-by: NChris Gillum <cgillum@microsoft.com>
Signed-off-by: NChris Gillum <cgillum@gmail.com>
Co-authored-by: NAlessandro (Ale) Segala <43508+ItalyPaleAle@users.noreply.github.com>

See dapr/kit#52
Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

Signed-off-by: NBernd Verst <github@bernd.dev>

Signed-off-by: NItalyPaleAle <43508+ItalyPaleAle@users.noreply.github.com>

Fix wasm binding register
Co-authored-by: NLoong Dai <long.dai@intel.com>

* Adds third party URI path normalization, removing segment decoding
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Adds e2e tests to ensure only slashes are normalized. Segments remain
encoded as is.
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Adds copyright headers
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Write back escaped path from echoPath e2e handler
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* linting
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Don't escape path in e2e service invocation app router
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Use correct expected path
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Remove trailing slashes since we use strict slashes in router
Signed-off-by: Njoshvanl <me@joshvanl.dev>

---------
Signed-off-by: Njoshvanl <me@joshvanl.dev>

Signed-off-by: NBernd Verst <github@bernd.dev>

Signed-off-by: NDeepanshu Agarwal <deepanshu.agarwal1984@gmail.com>

Signed-off-by: NChris Gillum <cgillum@microsoft.com>

* Actor State TTL: put feature being feature gate
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Linting
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Add comment to where ActorStateTTL feature gate it used with a reminder
to remove it.
Signed-off-by: Njoshvanl <me@joshvanl.dev>

* Adds separate e2e config and assign to actor_state test for actor state
ttl
Signed-off-by: Njoshvanl <me@joshvanl.dev>

---------
Signed-off-by: Njoshvanl <me@joshvanl.dev>
Co-authored-by: NArtur Souza <asouza.pro@gmail.com>

* fix rbac permit for operator-admin
Signed-off-by: NFilinto Duran <filinto@diagrid.io>

* refactor negated logic
Signed-off-by: NFilinto Duran <filinto@diagrid.io>

---------
Signed-off-by: NFilinto Duran <filinto@diagrid.io>