xk6-kafka
xk6-kafka copied to clipboard
Triage and fix true positive security vulnerabilities found by `govulncheck`
After running the govulncheck
tool on the repo, as mentioned in this article, it found four vulnerabilities.
And this is the terminal output
$ govulncheck ./...
govulncheck is an experimental tool. Share feedback at https://go.dev/s/govulncheck-feedback.
Scanning for dependencies with known vulnerabilities...
Found 4 known vulnerabilities.
Vulnerability #1: GO-2022-0524
Calling Reader.Read on an archive containing a large number of
concatenated 0-length compressed files can cause a panic due to
stack exhaustion.
Call stacks in your code:
auth.go:67:20: github.com/mostafa/xk6-kafka.GetDialer calls github.com/sirupsen/logrus.Logger.WithField, which eventually calls compress/gzip.Reader.Read
Found in: compress/[email protected]
Fixed in: compress/[email protected]
More info: https://pkg.go.dev/vuln/GO-2022-0524
Vulnerability #2: GO-2022-0433
encoding/pem in Go before 1.17.9 and 1.18.x before 1.18.1 has a
Decode stack overflow via a large amount of PEM data.
Call stacks in your code:
auth.go:170:40: github.com/mostafa/xk6-kafka.GetTLSConfig calls crypto/x509.CertPool.AppendCertsFromPEM, which eventually calls encoding/pem.Decode
Found in: encoding/[email protected]
Fixed in: encoding/[email protected]
More info: https://pkg.go.dev/vuln/GO-2022-0433
Vulnerability #3: GO-2022-0520
Client IP adresses may be unintentionally exposed via
X-Forwarded-For headers. When httputil.ReverseProxy.ServeHTTP is
called with a Request.Header map containing a nil value for the
X-Forwarded-For header, ReverseProxy sets the client IP as the
value of the X-Forwarded-For header, contrary to its
documentation. In the more usual case where a Director function
sets the X-Forwarded-For header value to nil, ReverseProxy
leaves the header unmodified as expected.
Call stacks in your code:
schema_registry.go:323:40: github.com/mostafa/xk6-kafka.Kafka.createSchema calls github.com/riferrei/srclient.SchemaRegistryClient.CreateSchema, which eventually calls net/http.Client.Do
Found in: net/[email protected]
Fixed in: net/[email protected]
More info: https://pkg.go.dev/vuln/GO-2022-0520
Vulnerability #4: GO-2022-0525
The HTTP/1 client accepted some invalid Transfer-Encoding
headers as indicating a "chunked" encoding. This could
potentially allow for request smuggling, but only if combined
with an intermediate server that also improperly failed to
reject the header as invalid.
Call stacks in your code:
schema_registry.go:323:40: github.com/mostafa/xk6-kafka.Kafka.createSchema calls github.com/riferrei/srclient.SchemaRegistryClient.CreateSchema, which eventually calls net/http.Client.Do
Found in: net/[email protected]
Fixed in: net/[email protected]
More info: https://pkg.go.dev/vuln/GO-2022-0525
=== Informational ===
The vulnerabilities below are in packages that you import, but your code
doesn't appear to call any vulnerable functions. You may not need to take any
action. See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
for details.
Vulnerability #1: GO-2022-0537
Decoding big.Float and big.Rat types can panic if the encoded message is
too short, potentially allowing a denial of service.
Found in: math/[email protected]
Fixed in: math/[email protected]
More info: https://pkg.go.dev/vuln/GO-2022-0537
Vulnerability #2: GO-2022-0531
An attacker can correlate a resumed TLS session with a previous connection.
Session tickets generated by crypto/tls do not contain a randomly
generated ticket_age_add, which allows an attacker that can observe TLS
handshakes to correlate successive connections by comparing ticket ages
during session resumption.
Found in: crypto/[email protected]
Fixed in: crypto/[email protected]
More info: https://pkg.go.dev/vuln/GO-2022-0531
Vulnerability #3: GO-2022-0527
Calling Glob on a path which contains a large number of path separators can
cause a panic due to stack exhaustion.
Found in: io/[email protected]
Fixed in: io/[email protected]
More info: https://pkg.go.dev/vuln/GO-2022-0527
Vulnerability #4: GO-2022-0522
Calling Glob on a path which contains a large number of path separators can
cause a panic due to stack exhaustion.
Found in: path/[email protected]
Fixed in: path/[email protected]
More info: https://pkg.go.dev/vuln/GO-2022-0522
Vulnerability #5: GO-2022-0493
When called with a non-zero flags parameter, the Faccessat function
can incorrectly report that a file is accessible.
Found in: [email protected]
Fixed in: [email protected]
More info: https://pkg.go.dev/vuln/GO-2022-0493
Vulnerability #6: GO-2022-0435
A crafted scalar input longer than 32 bytes can cause P256().ScalarMult
or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and
crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.
Found in: crypto/[email protected]
Fixed in: crypto/[email protected]
More info: https://pkg.go.dev/vuln/GO-2022-0435