flyteorg · Sovietaced · Dec 1, 2025 · Dec 1, 2025 · Sovietaced · Aug 30, 2025
diff --git a/Dockerfile b/Dockerfile
@@ -2,7 +2,7 @@ ARG FLYTECONSOLE_VERSION=latest
 FROM ghcr.io/flyteorg/flyteconsole:${FLYTECONSOLE_VERSION} AS flyteconsole
 
 
-FROM --platform=${BUILDPLATFORM} golang:1.23-bookworm AS flytebuilder
+FROM --platform=${BUILDPLATFORM} golang:1.24-bookworm AS flytebuilder
 
 ARG TARGETARCH
 ENV GOARCH="${TARGETARCH}"

diff --git a/Dockerfile.datacatalog b/Dockerfile.datacatalog
@@ -3,7 +3,7 @@
 #
 # TO OPT OUT OF UPDATES, SEE https://github.com/flyteorg/boilerplate/blob/master/Readme.rst
 
-FROM --platform=${BUILDPLATFORM} golang:1.23-alpine3.21 AS builder
+FROM --platform=${BUILDPLATFORM} golang:1.24-alpine3.21 AS builder
 
 
 ARG TARGETARCH

diff --git a/Dockerfile.flyteadmin b/Dockerfile.flyteadmin
@@ -3,7 +3,7 @@
 #
 # TO OPT OUT OF UPDATES, SEE https://github.com/lyft/boilerplate/blob/master/Readme.rst
 
-FROM --platform=${BUILDPLATFORM} golang:1.23-alpine3.21 AS builder
+FROM --platform=${BUILDPLATFORM} golang:1.24-alpine3.21 AS builder
 
 ARG TARGETARCH
 ENV GOARCH="${TARGETARCH}"

diff --git a/Dockerfile.flytecopilot b/Dockerfile.flytecopilot
@@ -3,7 +3,7 @@
 #
 # TO OPT OUT OF UPDATES, SEE https://github.com/lyft/boilerplate/blob/master/Readme.rst
 
-FROM --platform=${BUILDPLATFORM} golang:1.23-alpine3.21 AS builder
+FROM --platform=${BUILDPLATFORM} golang:1.24-alpine3.21 AS builder
 
 
 ARG TARGETARCH

diff --git a/Dockerfile.flytepropeller b/Dockerfile.flytepropeller
@@ -4,7 +4,7 @@
 # TO OPT OUT OF UPDATES, SEE https://github.com/lyft/boilerplate/blob/master/Readme.rst
 
 
-FROM --platform=${BUILDPLATFORM} golang:1.23-alpine3.21 AS builder
+FROM --platform=${BUILDPLATFORM} golang:1.24-alpine3.21 AS builder
 
 
 ARG TARGETARCH

diff --git a/Dockerfile.flytescheduler b/Dockerfile.flytescheduler
@@ -4,7 +4,7 @@
 # TO OPT OUT OF UPDATES, SEE https://github.com/lyft/boilerplate/blob/master/Readme.rst
 
 
-FROM --platform=${BUILDPLATFORM} golang:1.23-alpine3.21 AS builder
+FROM --platform=${BUILDPLATFORM} golang:1.24-alpine3.21 AS builder
 
 
 ARG TARGETARCH

diff --git a/boilerplate/flyte/golang_support_tools/go.mod b/boilerplate/flyte/golang_support_tools/go.mod
@@ -1,6 +1,6 @@
 module github.com/flyteorg/boilerplate
 
-go 1.23.0
+go 1.24.0
 
 require (
 	github.com/alvaroloes/enumer v1.1.2

diff --git a/datacatalog/go.mod b/datacatalog/go.mod
@@ -1,6 +1,6 @@
 module github.com/flyteorg/flyte/datacatalog
 
-go 1.23.0
+go 1.24.0
 
 require (
 	github.com/Selvatico/go-mocket v1.0.7

diff --git a/datacatalog/pkg/manager/impl/validators/errors.go b/datacatalog/pkg/manager/impl/validators/errors.go
@@ -1,8 +1,6 @@
 package validators
 
 import (
-	"fmt"
-
 	"google.golang.org/grpc/codes"
 
 	"github.com/flyteorg/flyte/datacatalog/pkg/common"
@@ -14,13 +12,13 @@ const invalidArgFormat = "invalid value for %s, value:[%s]"
 const invalidFilterFormat = "%s cannot be filtered by %s properties"
 
 func NewMissingArgumentError(field string) error {
-	return errors.NewDataCatalogErrorf(codes.InvalidArgument, fmt.Sprintf(missingFieldFormat, field)) //nolint
+	return errors.NewDataCatalogErrorf(codes.InvalidArgument, missingFieldFormat, field)
 }
 
 func NewInvalidArgumentError(field string, value string) error {
-	return errors.NewDataCatalogErrorf(codes.InvalidArgument, fmt.Sprintf(invalidArgFormat, field, value)) //nolint
+	return errors.NewDataCatalogErrorf(codes.InvalidArgument, invalidArgFormat, field, value)
 }
 
 func NewInvalidFilterError(entity common.Entity, propertyEntity common.Entity) error {
-	return errors.NewDataCatalogErrorf(codes.InvalidArgument, fmt.Sprintf(invalidFilterFormat, entity, propertyEntity)) //nolint
+	return errors.NewDataCatalogErrorf(codes.InvalidArgument, invalidFilterFormat, entity, propertyEntity)
 }
diff --git a/datacatalog/pkg/repositories/errors/postgres.go b/datacatalog/pkg/repositories/errors/postgres.go
@@ -2,7 +2,6 @@ package errors
 
 import (
 	"errors"
-	"fmt"
 	"reflect"
 
 	"github.com/jackc/pgconn"
@@ -62,7 +61,7 @@ func (p *postgresErrorTransformer) ToDataCatalogError(err error) error {
 	case undefinedTable:
 		return catalogErrors.NewDataCatalogErrorf(codes.InvalidArgument, unsupportedTableOperation, pqError.Message)
 	default:
-		return catalogErrors.NewDataCatalogErrorf(codes.Unknown, fmt.Sprintf(defaultPgError, pqError.Code, pqError.Message)) //nolint
+		return catalogErrors.NewDataCatalogErrorf(codes.Unknown, defaultPgError, pqError.Code, pqError.Message)
 	}
 }
 

diff --git a/docker/sandbox-bundled/Dockerfile b/docker/sandbox-bundled/Dockerfile
@@ -10,7 +10,7 @@ COPY images/manifest.txt images/preload ./
 RUN --security=insecure ./preload manifest.txt
 
 
-FROM --platform=${BUILDPLATFORM} golang:1.23-bullseye AS bootstrap
+FROM --platform=${BUILDPLATFORM} golang:1.24-bullseye AS bootstrap
 
 ARG TARGETARCH
 ENV CGO_ENABLED 0

diff --git a/docker/sandbox-bundled/bootstrap/go.mod b/docker/sandbox-bundled/bootstrap/go.mod
@@ -1,6 +1,6 @@
 module github.com/flyteorg/flyte/docker/sandbox-bundled/bootstrap
 
-go 1.23.0
+go 1.24.0
 
 require (
 	github.com/stretchr/testify v1.8.0

diff --git a/flyteadmin/auth/cookie.go b/flyteadmin/auth/cookie.go
@@ -2,12 +2,13 @@ package auth
 
 import (
 	"context"
+	"crypto/rand"
 	"crypto/sha256"
+	"encoding/base64"
 	"encoding/hex"
-	"math/rand"
+	"fmt"
 	"net/http"
 	"net/url"
-	"time"
 
 	"github.com/gorilla/securecookie"
 
@@ -112,25 +113,29 @@ func ReadSecureCookie(ctx context.Context, cookie http.Cookie, hashKey, blockKey
 	return "", errors.Wrapf(ErrSecureCookie, err, "Error reading secure cookie %s", cookie.Name)
 }
 
-func NewCsrfToken(seed int64) string {
-	rand.Seed(seed)
-	csrfToken := [10]rune{}
-	for i := 0; i < len(csrfToken); i++ {
-		/* #nosec */
-		csrfToken[i] = AllowedChars[rand.Intn(len(AllowedChars))]
+func NewCsrfToken() (string, error) {
+	// 32 bytes = 256 bits of entropy, plenty for CSRF
+	b := make([]byte, 32)
+	if _, err := rand.Read(b); err != nil {
+		return "", err
 	}
-	return string(csrfToken[:])
+
+	// base64 encode so it's safe to embed in HTML forms
+	return base64.URLEncoding.EncodeToString(b), nil
 }
 
-func NewCsrfCookie() http.Cookie {
-	csrfStateToken := NewCsrfToken(time.Now().UnixNano())
+func NewCsrfCookie() (http.Cookie, error) {
+	csrfStateToken, err := NewCsrfToken()
+	if err != nil {
+		return http.Cookie{}, fmt.Errorf("creating csrf token: %w", err)
+	}
 	return http.Cookie{
 		Name:     csrfStateCookieName,
 		Value:    csrfStateToken,
 		SameSite: http.SameSiteLaxMode,
 		HttpOnly: true,
 		Secure:   !config.GetConfig().Security.InsecureCookieHeader,
-	}
+	}, nil
 }
 
 func VerifyCsrfCookie(ctx context.Context, request *http.Request) error {

diff --git a/flyteadmin/auth/cookie_test.go b/flyteadmin/auth/cookie_test.go
@@ -10,6 +10,7 @@ import (
 
 	"github.com/gorilla/securecookie"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 
 	"github.com/flyteorg/flyte/flyteadmin/auth/config"
 	"github.com/flyteorg/flyte/flyteadmin/auth/interfaces/mocks"
@@ -76,8 +77,21 @@ func TestSecureCookieLifecycle(t *testing.T) {
 }
 
 func TestNewCsrfToken(t *testing.T) {
-	csrf := NewCsrfToken(5)
-	assert.Equal(t, "5qz3p9w8qo", csrf)
+	// Generate many tokens and assert uniqueness and decodability
+	const n = 1000
+	seen := make(map[string]struct{}, n)
+
+	for i := 0; i < n; i++ {
+		tok, err := NewCsrfToken()
+		require.NoError(t, err)
+		require.Len(t, tok, 44)
+
+		if _, ok := seen[tok]; ok {
+			t.Fatalf("duplicate token generated at i=%d", i)
+		}
+		seen[tok] = struct{}{}
+	}
+
 }
 
 func TestNewCsrfCookie(t *testing.T) {
@@ -108,7 +122,8 @@ func TestNewCsrfCookie(t *testing.T) {
 			})
 
 			// Generate CSRF cookie
-			cookie := NewCsrfCookie()
+			cookie, err := NewCsrfCookie()
+			require.NoError(t, err)
 
 			// Validate CSRF cookie properties
 			assert.Equal(t, "flyte_csrf_state", cookie.Name)
@@ -139,7 +154,8 @@ func TestVerifyCsrfCookie(t *testing.T) {
 		v := url.Values{
 			"state": []string{"b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9"},
 		}
-		cookie := NewCsrfCookie()
+		cookie, err := NewCsrfCookie()
+		require.NoError(t, err)
 		cookie.Value = "helloworld"
 		request.Form = v
 		request.AddCookie(&cookie)
@@ -154,7 +170,8 @@ func TestVerifyCsrfCookie(t *testing.T) {
 		v := url.Values{
 			"state": []string{"b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9"},
 		}
-		cookie := NewCsrfCookie()
+		cookie, err := NewCsrfCookie()
+		require.NoError(t, err)
 		cookie.Value = "hello world"
 		request.Form = v
 		request.AddCookie(&cookie)

diff --git a/flyteadmin/auth/handlers.go b/flyteadmin/auth/handlers.go
@@ -139,7 +139,12 @@ func RefreshTokensIfExists(ctx context.Context, authCtx interfaces.Authenticatio
 // provider, it saves a cookie that contains the redirect url for after the authentication flow is done.
 func GetLoginHandler(ctx context.Context, authCtx interfaces.AuthenticationContext) http.HandlerFunc {
 	return func(writer http.ResponseWriter, request *http.Request) {
-		csrfCookie := NewCsrfCookie()
+		csrfCookie, err := NewCsrfCookie()
+		if err != nil {
+			logger.Errorf(ctx, "Failed to create CSRF cookie. Error: %s", err)
+			writer.WriteHeader(http.StatusInternalServerError)
+			return
+		}
 		csrfToken := csrfCookie.Value
 		http.SetCookie(writer, &csrfCookie)
 

diff --git a/flyteadmin/auth/handlers_test.go b/flyteadmin/auth/handlers_test.go
@@ -66,8 +66,9 @@ func addStateString(request *http.Request) {
 	request.Form = v
 }
 
-func addCsrfCookie(request *http.Request) {
-	cookie := NewCsrfCookie()
+func addCsrfCookie(t *testing.T, request *http.Request) {
+	cookie, err := NewCsrfCookie()
+	require.NoError(t, err)
 	cookie.Value = "hello world"
 	request.AddCookie(&cookie)
 }
@@ -87,7 +88,7 @@ func TestGetCallbackHandlerWithErrorOnToken(t *testing.T) {
 	r := plugins.NewRegistry()
 	callbackHandlerFunc := GetCallbackHandler(ctx, mockAuthCtx, r)
 	request := httptest.NewRequest("GET", localServer.URL+"/callback", nil)
-	addCsrfCookie(request)
+	addCsrfCookie(t, request)
 	addStateString(request)
 	writer := httptest.NewRecorder()
 	callbackHandlerFunc(writer, request)
@@ -161,7 +162,7 @@ func TestGetCallbackHandler(t *testing.T) {
 		r := plugins.NewRegistry()
 		callbackHandlerFunc := GetCallbackHandler(ctx, mockAuthCtx, r)
 		request := httptest.NewRequest("GET", localServer.URL+"/callback", nil)
-		addCsrfCookie(request)
+		addCsrfCookie(t, request)
 		addStateString(request)
 		writer := httptest.NewRecorder()
 		openIDConfigJSON = fmt.Sprintf(`{
@@ -188,7 +189,7 @@ func TestGetCallbackHandler(t *testing.T) {
 		r.RegisterDefault(plugins.PluginIDPreRedirectHook, redirectFunc)
 		callbackHandlerFunc := GetCallbackHandler(ctx, mockAuthCtx, r)
 		request := httptest.NewRequest("GET", localServer.URL+"/callback", nil)
-		addCsrfCookie(request)
+		addCsrfCookie(t, request)
 		addStateString(request)
 		writer := httptest.NewRecorder()
 		openIDConfigJSON = fmt.Sprintf(`{
@@ -219,7 +220,7 @@ func TestGetCallbackHandler(t *testing.T) {
 		r.RegisterDefault(plugins.PluginIDPreRedirectHook, redirectFunc)
 		callbackHandlerFunc := GetCallbackHandler(ctx, mockAuthCtx, r)
 		request := httptest.NewRequest("GET", localServer.URL+"/callback", nil)
-		addCsrfCookie(request)
+		addCsrfCookie(t, request)
 		addStateString(request)
 		writer := httptest.NewRecorder()
 		openIDConfigJSON = fmt.Sprintf(`{

diff --git a/flyteadmin/go.mod b/flyteadmin/go.mod
@@ -1,6 +1,6 @@
 module github.com/flyteorg/flyte/flyteadmin
 
-go 1.23.0
+go 1.24.0
 
 require (
 	cloud.google.com/go/iam v1.1.5