Comments (7)
Thanks for the details. It looks like the rqlitestore
was never included in a tagged release of scs
and was introduced in between the 2.5.0 and 2.5.1 releases. I think Xray's information about the affected versions of this library is incorrect. There should be no way it could impact scs
1.4.1 and as you noted, Policy Bot only uses the cookiestore
.
All that said, I am thinking about this issue again as part of building a new application, so there may be an update shortly.
from go-githubapp.
If there's a reason to modify the session handling, I think we should look for alternate libraries. scs/v2
makes two major changes that I found difficult to work with compared to scs/v1
:
- No support for cookies as a storage mechanism. While this is generally good for security, there are situations where cookies are convenient and I think make sense, like for the OAuth state parameter here. The
scs.Store
interface actually makes it impossible to use cookies for state because it does not give access to thehttp.ResponseWriter
or acontext.Context
, so I can't think of a way to get an updated cookie into a response. - Heavily encourages the use of the
LoadAndSave
middleware, which buffers responses and must appear at the highest-level of the middleware stack to work with other middleware that might write responses, like error handlers. This is easy to mess up and makes it hard to only use sessions on certain routes (at least given how we set things up ingo-baseapp
.) There's a lower-level interface for saving sessions, but using it requires you to reimplement all the logic to generate and write the session ID cookie.
I think gorilla/sessions
is the most popular session library for Go, but I've also had problems with it (although it was probably user error that I didn't properly debug at the time.) And there might other options to consider.
from go-githubapp.
the policy-bot
repo depends on the oauth2
pkg in this repo, and the dependency on v1.4 of github.com/alexedwards/scs is causing PolicyBot to get flagged with a CVSS 9 vulnerability according to Jfrog Xray:
just providing motivation to move this issue forward.
from go-githubapp.
Hi @erikpaasonen ,
Thanks for that information. What is the text of the CVE? I don't see any public information about it online. It is possible that it directly affects this repo and downstream consumers (like policy-bot), or potentially not at all.
from go-githubapp.
summary:
rqlitestore Session Token Handling SQL Injection Authentication Bypass
description:
rqlitestore contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the program not properly sanitizing input to session tokens. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data or a bypass of authentication. Once authenticated, the attacker has access to the application with the same privileges as the admin account used during the authentication bypass.
vulnerable versions: < 2.5.1
refs:
the screenshot above is from an Artifactory scan of our policy-bot Docker image.
policy-bot uses the oauth2
package which is hosted here (but ironically does not use the rqlitestore
store).
from go-githubapp.
Since realizing that the cookiestore
code that PolicyBot depends on seems to have been deleted in v2, scrutiny on the embedded dependency of PolicyBot is impeding our efforts to get the Artifactory detection updated.
Are there any opportunities to move quickly off of v1.4.1 while a more permanent solution is engineered?
from go-githubapp.
While we are working on a potential replacement for this internally at the moment, I'm not sure if there are any "quick wins" here.
The fact that cookiestore
was removed in v2 is one of the problems outlined in #103 (comment). I don't think its worth porting to another session library right away as a response. policy-bot
is not affected by this CVE, and I don't believe the CVE is relevant unless clients use the rqlitestore
.
from go-githubapp.
Related Issues (20)
- howto set CA to trust, or set tls options HOT 3
- can't use app authentication with v4 client HOT 6
- Context Deadline Exceeded in Google Cloud Run HOT 4
- avoid jwt-go HOT 3
- Consider defining new module in `example` package HOT 1
- Exposing metrics via HTTP HOT 2
- 404 page not found HOT 2
- Configure redirect_uri for token request HOT 2
- Example app clarification HOT 4
- PR #212 has broken the example code HOT 3
- Pass token to net/http for asset download HOT 6
- Errors loading config larger than 1MB HOT 2
- Capture stack traces for recovered handler panics
- Add GraphQL query logging middleware
- Emit metrics for async webhook processing errors
- Duplicate request with same delivery ID HOT 2
- Upgrade to be compatible with github.com/google/go-github/v33 HOT 1
- PrepareRepoContext should take an interface
- Updating to go-github/v38/github HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go-githubapp.