handler icon indicating copy to clipboard operation
handler copied to clipboard

Published 20 hours ago verified publisher icon graphql-go

Go ParseThru vulnerability

Open f-hluchnik opened this issue 2 years ago • 0 comments

There is a vulnerability in Go url parsing. More on that here: https://www.oxeye.io/blog/golang-parameter-smuggling-attack

In a nutshell, the method Query() ignores the error produced by another function when finding a semicolon when parsing the query. The solution is to replace usage of query = r.URL.Query() with query, err = url.ParseQuery(r.URL.RawQuery) to avoid ignoring the error produced by finding a semicolon when parsing the query.

f-hluchnik avatar Oct 25 '22 13:10 f-hluchnik