dd-trace-go icon indicating copy to clipboard operation
dd-trace-go copied to clipboard
verified publisher icon DataDog

Update gofiber dependency

Open sks opened this issue 3 years ago • 3 comments

sks avatar Aug 25 '22 08:08 sks

As a golang dev, I dont really care about this vuln. (Not even sure how this would pan out).

but since the upgrade wont cause a regression, I thought I might as well go for this to get a better report for our service.

From our code analysis tool

Explanation

The github.com/gofiber/fiber package is vulnerable due to Improper Check or Handling of Exceptional Conditions. The readContent() function in the helpers.go file fails to properly handle errors thrown when deferring calls to File.Close(). A developer, unaware of this situation, may introduce a security risk by this unexpected behavior.

Recommendation

We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Advisories

Evidence: https://github.com/gofiber/fiber/releases/tag/v2.21.0

sks avatar Aug 25 '22 14:08 sks

Thanks! For reference, here's the commit that fixes the referenced issue. This commit is first available in version v2.21.0. Could you please change this PR to upgrade to that version instead? We prefer to use the minimum secure version of a dependency to minimize the risk of introducing breaking changes to users. (See our contribution guidelines)

nsrip-dd avatar Aug 25 '22 14:08 nsrip-dd

Updated to v2.21.0

sks avatar Aug 29 '22 16:08 sks

This was upgraded in #1487 so is no longer needed

ajgajg1134 avatar Jan 17 '23 17:01 ajgajg1134