aliyun-tablestore-go-sdk icon indicating copy to clipboard operation
aliyun-tablestore-go-sdk copied to clipboard

Published 20 hours ago verified publisher icon aliyun

Unmaintained and vulnerable dependency

Open losuler opened this issue 4 years ago • 0 comments
trafficstars

The dependency satori/go.uuid is no longer maintained https://github.com/satori/go.uuid/issues/84 and it's current pinning on v1.2.0 suffers from this vulnerability https://github.com/satori/go.uuid/issues/73.

Suggested fixes include either pinning the latest commit on the master branch of satori/go.uuid where this issue has been fixed https://github.com/satori/go.uuid/commit/75cca531ea763666bc46e531da3b4c3b95f64557 or move to a maintained replacement such as gofrs/uuid or google/uuid, which also resolves a number of other bugs.

The only change besides changing the pinning would be this line:

--- tunnel/api.go.orig	2021-03-02 16:37:50.890286864 +1100
+++ tunnel/api.go	2021-03-02 16:38:28.083334608 +1100
@@ -163,7 +163,7 @@ func (api *TunnelApi) doRequestInternal(
 		hreq.Header.Set(xOtsHeaderStsToken, api.securityToken)
 		otshead.set(xOtsHeaderStsToken, api.securityToken)
 	}
-	traceId := uuid.NewV4()
+	traceId := uuid.Must(uuid.NewV4())
 	hreq.Header.Set(xOtsHeaderTraceID, traceId.String())
 	otshead.set(xOtsHeaderTraceID, traceId.String())

losuler avatar Mar 02 '21 06:03 losuler