go-bindata icon indicating copy to clipboard operation
go-bindata copied to clipboard

Published 20 hours ago verified publisher icon go-bindata

gosec error - Potential DoS vulnerability via decompression

Open FilipNikolovski opened this issue 5 years ago • 1 comments

When running the tool gosec, it throws an error on the generated code, for the G110 rule - Potential DoS vulnerability via decompression bomb.

G110 (CWE-409): Potential DoS vulnerability via decompression bomb (Confidence: MEDIUM, Severity: MEDIUM)

io.Copy(&buf, gz)

It is advised to use io.CopyN when doing a decompression. Related issue - https://github.com/securego/gosec/pull/433

FilipNikolovski avatar Jan 26 '20 12:01 FilipNikolovski

As a workaround, using the -nocompress flag causes the data to be included uncompressed and therefore avoids this issue. I'll be doing this until #50 is merged.

JohnAnthony avatar Jun 26 '20 19:06 JohnAnthony