Improper Authorization in google.golang.org/grpc

Summary

In versions prior to 1.79.3, gRPC-Go contains an authorisation bypass caused by improper input validation of the HTTP/2: path pseudo-header. The server accepts non-canonical paths missing the required leading slash (e.g., Service/Method instead of /Service/Method), and although routing succeeds, authorisation interceptors--including grpc/authz--evaluate the raw, non-canonical path. This causes canonical "deny" rules to fail to match and may allow unauthorized requests when a fallback "allow" rule exists. The issue is fixed in version 1.79.3.