fix: require signature verification in Snowball extract handler (CVE-…

…2026-40344)

PutObjectExtractHandler (the X-Amz-Meta-Snowball-Auto-Extract handler) was
missing a case for authTypeStreamingUnsignedTrailer in its `switch rAuthType`
block. When STREAMING-UNSIGNED-PAYLOAD-TRAILER support was added upstream
(PR minio#16484 / commit 76913a9), the new auth type was wired into
PutObjectHandler and PutObjectPartHandler but never into the extract handler.

As a result, a request carrying
`X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER`, the Snowball
auto-extract header, and an Authorization header with a valid access key but a
FABRICATED signature fell through the switch (no matching case, no default)
with ZERO cryptographic signature verification. isPutActionAllowed, called
before the switch, only authorizes the access key against IAM policy and does
not verify the request signature, so the tar payload was extracted into the
bucket unauthenticated.

This adds the missing `case authTypeStreamingUnsignedTrailer:` mirroring the
protected handlers: the body is wrapped in newUnsignedV4ChunkedReader, which
verifies the request signature when credentials are present. The hasCreds gate
(Authorization header OR X-Amz-Credential query param) matches the
post-CVE-2026-41145 form so the query-string credential bypass (Vuln 2) is not
reintroduced. The Content-Length / X-Amz-Decoded-Content-Length size-decode
guard is also extended to cover the unsigned-trailer auth type, matching
PutObjectHandler.

A regression test (TestCVE202640344SnowballExtract in cmd/server_test.go)
exercises the full handler over HTTP: a Snowball extract PUT with a fabricated
signature is now rejected, while a legitimately signed extract still succeeds
and unpacks the tar into the bucket. The test fails without this fix and
passes with it.

Refs: GHSA-9c4q-hq6p-c237 / CVE-2026-40344

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Will Cooke <will.cooke@chainguard.dev>

Fix CVE-2026-33814

Bump golang.org/x/net from 0.52.0 to 0.53.0.

Signed-off-by: Sergio Durigan Junior <sergiodj@chainguard.dev>

go.sum: Fix typo with previously unresolved conflict

Signed-off-by: Sergio Durigan Junior <sergiodj@chainguard.dev>

fix: guard SSE replication headers against injection (CVE-2026-34204) (…

…#23)

A regular client could supply X-Minio-Replication-Server-Side-Encryption-*
headers in a PUT request, causing them to be stored as internal SSE metadata.
This allowed injection of fake sealed key material, potentially bypassing SSE
verification.

Add a check in extractMetadataFromMime() to only accept headers in
replicationToInternalHeaders when the request carries the
X-Minio-Source-Replication-Request header, which is only set by MinIO's
internal replication system.

chore(deps): bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0 (#…

…20)

Bumps [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go) from 1.40.0 to 1.43.0.
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go@v1.40.0...v1.43.0)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel/sdk
  dependency-version: 1.43.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

[StepSecurity] Apply security best practices (#13)

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Co-authored-by: stepsecurity-app[bot] <188008098+stepsecurity-app[bot]@users.noreply.github.com>

chore: go bump v1.25.8 (#16)

* chore: go bump v1.25.8

Signed-off-by: tdunlap607 <trevor.dunlap@chainguard.dev>

* chore: bump Go 1.24 to 1.25 in Dockerfiles and CI workflows

Update golang Docker image tags and GitHub Actions go-version
matrix entries to match the go.mod bump to Go 1.25.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: tdunlap607 <trevor.dunlap@chainguard.dev>

---------

Signed-off-by: tdunlap607 <trevor.dunlap@chainguard.dev>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

fix(ci): remove separate tag step from release workflow (#12)

Let `gh release create` handle tag creation via the GitHub API using
the Octo-STS token, instead of using `git push` which fails because
the checkout action's HTTP credentials only have read access.

Signed-off-by: tdunlap607 <trevor.dunlap@chainguard.dev>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>