fix: update protobuf version for <= 3.12 (cve fix) (#1837)

hallvictoria · web-flow · commit 8edaef1dc8fa · 2026-03-16T16:20:35.000-05:00
* bump protobuf version for &lt;= 3.12

* update grpc

* mount protobuf &amp; grpc

* mount protobuf &amp; grpc

* mount protobuf &amp; grpc

* lint
diff --git a/eng/ci/public-build.yml b/eng/ci/public-build.yml
@@ -74,20 +74,20 @@ extends:
       # Skip the build stage for SDK and Extensions release branches. This stage will fail because pyproject.toml contains the updated (and unreleased) library version
       condition: and(eq(variables.isSdkRelease, false), eq(variables.isExtensionsRelease, false), eq(variables['USETESTPYTHONSDK'], false), eq(variables['USETESTPYTHONEXTENSIONS'], false))
     - stage: CheckPythonWorkerDependencies
-      dependsOn: []
+      dependsOn: BuildPythonWorker
       jobs:
       - template: /eng/templates/jobs/ci-dependency-check.yml@self
         parameters:
           PoolName: 1es-pool-azfunc-public
     - stage: RunWorkerUnitTests
-      dependsOn: CheckPythonWorkerDependencies
+      dependsOn: BuildPythonWorker
       jobs:
         - template: /eng/templates/jobs/ci-unit-tests.yml@self
           parameters:
             PROJECT_DIRECTORY: 'workers'
             PoolName: 1es-pool-azfunc-public
     - stage: RunWorkerEmulatorTests
-      dependsOn: CheckPythonWorkerDependencies
+      dependsOn: BuildPythonWorker
       jobs:
         - template: /eng/templates/jobs/ci-emulator-tests.yml@self
           parameters:
diff --git a/workers/pyproject.toml b/workers/pyproject.toml
@@ -28,14 +28,11 @@ dependencies = [
      "azure-functions==1.24.0; python_version < '3.10'",
      "azure-functions==1.25.0b4; python_version >= '3.10'",
      "python-dateutil~=2.9.0",
-     "protobuf~=4.25.3; python_version < '3.13'",
-     "protobuf~=5.29.0; python_version == '3.13'",
+     "protobuf~=5.29.0; python_version <= '3.13'",
      "protobuf~=6.33.1; python_version == '3.14'",
-     "grpcio-tools~=1.59.0;python_version < '3.13'",
-     "grpcio-tools~=1.70.0; python_version == '3.13'",
+     "grpcio-tools~=1.70.0; python_version <= '3.13'",
      "grpcio-tools~=1.75.1; python_version == '3.14'",
-     "grpcio~=1.59.0; python_version < '3.13'",
-     "grpcio~=1.70.0; python_version == '3.13'",
+     "grpcio~=1.70.0; python_version <= '3.13'",
      "grpcio~=1.75.1; python_version == '3.14'",
      "uvloop~=0.21.0; python_version == '3.13' and sys_platform != 'win32'",
      "uvloop~=0.22.0; python_version == '3.14' and sys_platform != 'win32'",
diff --git a/workers/tests/unittests/test_utilities_dependency.py b/workers/tests/unittests/test_utilities_dependency.py
@@ -661,12 +661,12 @@ def test_newrelic_protobuf_import_scenario_worker_deps(self):
 
         DependencyManager.prioritize_customer_dependencies()
 
-        # protobuf v4 is found
+        # protobuf v5 is found
         from google.protobuf import __version__
 
         protobuf_version = tuple(int(v) for v in __version__.split("."))
         self.assertIsNotNone(protobuf_version)
-        self.assertEqual(protobuf_version[0], 4)
+        self.assertEqual(protobuf_version[0], 5)
 
     @unittest.skipIf(sys.version_info.minor <= 7,
                      "The worker brings different protobuf versions"
@@ -692,8 +692,8 @@ def test_newrelic_protobuf_import_scenario_user_deps(self):
         protobuf_version = tuple(int(v) for v in __version__.split("."))
         self.assertIsNotNone(protobuf_version)
 
-        # newrelic tries to import protobuf v4
-        self.assertEqual(protobuf_version[0], 4)
+        # newrelic tries to import protobuf v5
+        self.assertEqual(protobuf_version[0], 5)
 
         # newrelic tries to import protobuf v3
         self.assertNotEqual(protobuf_version[0], 3)
diff --git a/workers/tests/utils/testutils_lc.py b/workers/tests/utils/testutils_lc.py
@@ -242,6 +242,31 @@ def spawn_container(self,
             '-extensions-dev/azurefunctions-extensions-base'
             '/azurefunctions/extensions/base'
         )
+
+        # Get paths to google.protobuf and grpcio packages to mount them
+        # This ensures the container uses the same protobuf/grpc versions
+        # as the host, which is critical when protobuf files are generated
+        # with v5.x but the container has v4.x
+        try:
+            import google.protobuf
+            import grpc
+            protobuf_path = os.path.dirname(google.protobuf.__file__)
+            grpc_path = os.path.dirname(grpc.__file__)
+
+            # Container paths for protobuf and grpcio
+            container_protobuf_path = (
+                f"/azure-functions-host/workers/python/{self._py_version}/"
+                "LINUX/X64/google/protobuf"
+            )
+            container_grpc_path = (
+                f"/azure-functions-host/workers/python/{self._py_version}/"
+                "LINUX/X64/grpc"
+            )
+        except ImportError as e:
+            print(f"Warning: Could not import google.protobuf or grpc: {e}")
+            protobuf_path = None
+            grpc_path = None
+
         run_cmd = []
         run_cmd.extend([self._docker_cmd, "run", "-p", "0:80", "-d"])
         run_cmd.extend(["--name", self._uuid, "--privileged"])
@@ -258,6 +283,12 @@ def spawn_container(self,
         run_cmd.extend(["-v",
                         f'{base_ext_local_path}:{base_ext_container_path}'])
 
+        # Mount protobuf and grpcio packages if they were found
+        if protobuf_path:
+            run_cmd.extend(["-v", f'{protobuf_path}:{container_protobuf_path}'])
+        if grpc_path:
+            run_cmd.extend(["-v", f'{grpc_path}:{container_grpc_path}'])
+
         for key, value in env.items():
             run_cmd.extend(["-e", f"{key}={value}"])
         run_cmd.append(image)
