webhooks icon indicating copy to clipboard operation
webhooks copied to clipboard
verified publisher icon go-playground

Add length check to github signature

Open AdamKorcz opened this issue 2 years ago • 11 comments

Adds a length check to avoid an out-of-range panic.

AdamKorcz avatar Nov 18 '23 15:11 AdamKorcz

Coverage Status

coverage: 88.586% (-0.2%) from 88.765% when pulling f4db242ae5378f7a98e3fee6ef02c5f0d050ed45 on AdamKorcz:fix-out-of-range into 53694f85d27d5446a0790b0408b6799ac9709b98 on go-playground:master.

coveralls avatar Nov 18 '23 15:11 coveralls

@robinlieb, this PR relates to a Security Audit done to the CNCF Knative Project, Knative uses this repository as a dependency and the audit requires this to be fixed.

Can you check to see if this PR is expected to be fixed any time soon, or should Knative look for alternatives instead?

davidhadas avatar Nov 29 '23 19:11 davidhadas

Hi @AdamKorcz, is this change still needed after the merge of #173?

robinlieb avatar Nov 29 '23 20:11 robinlieb

Hi @AdamKorcz, is this change still needed after the merge of #173?

Yes

AdamKorcz avatar Nov 29 '23 23:11 AdamKorcz

@robinlieb Can you have a look at https://github.com/go-playground/webhooks/security/advisories/GHSA-m7vc-6h95-xrjq and invite @davidhadas as a collaborator there as well?

AdamKorcz avatar Nov 29 '23 23:11 AdamKorcz

@robinlieb Can you have a look at https://github.com/go-playground/webhooks/security/advisories/GHSA-m7vc-6h95-xrjq and invite @davidhadas as a collaborator there as well?

I'm the other security lead on Knative, and I'd appreciate if I could be on this issue as well.

evankanderson avatar Dec 04 '23 16:12 evankanderson

Actually, #173 did fix this by swapping []byte(signature[5:]) for strings.TrimSignature, which removes the slice indexing.

I think we can close this given #173 being merged. Do you agree @AdamKorcz ?

evankanderson avatar Dec 04 '23 16:12 evankanderson

Seems like I don't have access neither. @deankarn can you have a look and add me and the two mentioned in the thread to this security advisory?

robinlieb avatar Dec 04 '23 17:12 robinlieb

Maybe I missed something how would I add someone to the security advisory? Not sure I understand.

deankarn avatar Dec 06 '23 15:12 deankarn

Maybe I missed something how would I add someone to the security advisory? Not sure I understand.

https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/adding-a-collaborator-to-a-repository-security-advisory

AdamKorcz avatar Dec 06 '23 16:12 AdamKorcz

OK y'all should be added now as collaborators.

deankarn avatar Dec 07 '23 03:12 deankarn