xk6-kafka icon indicating copy to clipboard operation
xk6-kafka copied to clipboard

Published 20 hours ago verified publisher icon mostafa

Triage and fix true positive security vulnerabilities found by `govulncheck`

Open mostafa opened this issue 1 year ago • 0 comments

After running the govulncheck tool on the repo, as mentioned in this article, it found four vulnerabilities.

And this is the terminal output 
$ govulncheck ./...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.

Scanning for dependencies with known vulnerabilities...
Found 4 known vulnerabilities.

Vulnerability #1: GO-2022-0524
  Calling Reader.Read on an archive containing a large number of
  concatenated 0-length compressed files can cause a panic due to
  stack exhaustion.

  Call stacks in your code:
      auth.go:67:20: github.com/mostafa/xk6-kafka.GetDialer calls github.com/sirupsen/logrus.Logger.WithField, which eventually calls compress/gzip.Reader.Read

  Found in: compress/[email protected]
  Fixed in: compress/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0524

Vulnerability #2: GO-2022-0433
  encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a
  Decode stack overflow via a large amount of PEM data.

  Call stacks in your code:
      auth.go:170:40: github.com/mostafa/xk6-kafka.GetTLSConfig calls crypto/x509.CertPool.AppendCertsFromPEM, which eventually calls encoding/pem.Decode

  Found in: encoding/[email protected]
  Fixed in: encoding/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0433

Vulnerability #3: GO-2022-0520
  Client IP adresses may be unintentionally exposed via
  X-Forwarded-For headers. When httputil.ReverseProxy.ServeHTTP is
  called with a Request.Header map containing a nil value for the
  X-Forwarded-For header, ReverseProxy sets the client IP as the
  value of the X-Forwarded-For header, contrary to its
  documentation. In the more usual case where a Director function
  sets the X-Forwarded-For header value to nil, ReverseProxy
  leaves the header unmodified as expected.

  Call stacks in your code:
      schema_registry.go:323:40: github.com/mostafa/xk6-kafka.Kafka.createSchema calls github.com/riferrei/srclient.SchemaRegistryClient.CreateSchema, which eventually calls net/http.Client.Do

  Found in: net/[email protected]
  Fixed in: net/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0520

Vulnerability #4: GO-2022-0525
  The HTTP/1 client accepted some invalid Transfer-Encoding
  headers as indicating a "chunked" encoding. This could
  potentially allow for request smuggling, but only if combined
  with an intermediate server that also improperly failed to
  reject the header as invalid.

  Call stacks in your code:
      schema_registry.go:323:40: github.com/mostafa/xk6-kafka.Kafka.createSchema calls github.com/riferrei/srclient.SchemaRegistryClient.CreateSchema, which eventually calls net/http.Client.Do

  Found in: net/[email protected]
  Fixed in: net/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0525

=== Informational ===

The vulnerabilities below are in packages that you import, but your code
doesn't appear to call any vulnerable functions. You may not need to take any
action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.

Vulnerability #1: GO-2022-0537
  Decoding big.Float and big.Rat types can panic if the encoded message is
  too short, potentially allowing a denial of service.

  Found in: math/[email protected]
  Fixed in: math/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0537

Vulnerability #2: GO-2022-0531
  An attacker can correlate a resumed TLS session with a previous connection.

  Session tickets generated by crypto/tls do not contain a randomly
  generated ticket_age_add, which allows an attacker that can observe TLS
  handshakes to correlate successive connections by comparing ticket ages
  during session resumption.

  Found in: crypto/[email protected]
  Fixed in: crypto/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0531

Vulnerability #3: GO-2022-0527
  Calling Glob on a path which contains a large number of path separators can
  cause a panic due to stack exhaustion.

  Found in: io/[email protected]
  Fixed in: io/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0527

Vulnerability #4: GO-2022-0522
  Calling Glob on a path which contains a large number of path separators can
  cause a panic due to stack exhaustion.

  Found in: path/[email protected]
  Fixed in: path/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0522

Vulnerability #5: GO-2022-0493
  When called with a non-zero flags parameter, the Faccessat function
  can incorrectly report that a file is accessible.

  Found in: [email protected]
  Fixed in: [email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0493

Vulnerability #6: GO-2022-0435
  A crafted scalar input longer than 32 bytes can cause P256().ScalarMult
  or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and
  crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.

  Found in: crypto/[email protected]
  Fixed in: crypto/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2022-0435

mostafa avatar Sep 07 '22 09:09 mostafa