-
Notifications
You must be signed in to change notification settings - Fork 0
[Cycode] Fix for vulnerable manifest file dependency - github.com/gofiber/fiber/v2 updated to version 2.52.12 #15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -3,6 +3,6 @@ | |||||||||||||||||||||||||||||
| go 1.15 | ||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||
| require ( | ||||||||||||||||||||||||||||||
| github.com/gofiber/fiber/v2 v2.32.0 | ||||||||||||||||||||||||||||||
| github.com/gofiber/fiber/v2 v2.52.12 | ||||||||||||||||||||||||||||||
|
Check failure on line 6 in infrastructure/health-check/go.mod
|
||||||||||||||||||||||||||||||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ❗Cycode: Security vulnerabilities found in newly introduced dependency.
The following vulnerabilities were introduced:
Highest fixed version: 2.52.13 DescriptionDetects when new vulnerabilities affect your dependencies. Tell us how you wish to proceed using one of the following commands:
|
||||||||||||||||||||||||||||||
| github.com/gofiber/template v1.6.27 | ||||||||||||||||||||||||||||||
| ) | ||||||||||||||||||||||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❗Cycode: Security vulnerability found in newly introduced dependency.
github.com/gofiber/fiber/v2github.com/gofiber/fiber/v2 2.52.122.52.13Summary
Description
A Cross-Site Scripting (CWE-79) vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying
Accept: text/htmlon any request whose handler passes attacker-influenced data to the AutoFormat() feature. This affectsgithub.com/gofiber/fiber/v3(DefaultRes.AutoFormat) through version 3.1.0 andgithub.com/gofiber/fiber/v2(Ctx.Format) through version 2.52.12.The developer opts into content negotiation by calling AutoFormat(), but does not opt into raw HTML emission for a particular request; Fiber chooses that branch from attacker-controlled Accept. Five of the six branches of the same method already escape.
JSON,XML,MsgPack, andCBORall route through encoders that neutralize markup; the txt branch emitstext/plainand cannot execute. The html branch is the sole outlier in a method whose name (AutoFormat) and symmetrical structure actively telegraph "safe, format-agnostic reply."Details
The issue resides in
res.gowithin(*DefaultRes).AutoFormat(). The method negotiates against the request Accept header, selects one ofhtml | json | txt | xml | msgpack | cbor, and serializes the caller-supplied body accordingly.The "html" branch concatenates the stringified body directly into HTML markup with no output encoding:
acceptcomes fromr.c.Accepts(...), i.e. is fully attacker-controlled. An attacker can force the "html" branch on anyAutoFormat()call regardless of which format the developer tested against.bis produced frombodyvia direct assignment (string/[]byte) orfmt.Sprintf("%v", body). Nohtml.EscapeStringis applied.text/html; charset=utf-8, so browsers render it as active HTML.Impact
This impacts all current v3 releases ≤ 3.1.0 containing
DefaultRes.AutoFormat, and all current v2 releases ≤ 2.52.12 where the identical"<p>" + b + "</p>"construction exists in(*Ctx).Format(). Exploitation requires that an application callc.AutoFormat(v)wherev(or a field stringified by%v) contains request-influenced data.A handler that uses
AutoFormat()to serve multiple representations of the same data can be turned into an HTML XSS sink when the client sendsAccept: text/html, even if the developer only tested the JSON path.This may result in:
AutoFormat.AutoFormat.Proposed Patch
The injection surface is
r.Type("html")followed byr.SendString(b)with unescaped caller data, where it constructs markup on the caller's behalf around a value whose HTML-ness the caller did not declare. A few options:AutoFormat()should treatbodyas data, not markup, in the"html"branch and escape it before concatenating it into the framework-generated<p>wrapper. Callers that need raw negotiated HTML should useFormat()with an explicit HTML handler.AutoFormatalone for backward compatibility.HTML-escape the value in the "html" branch before concatenating it into the
<p>wrapper.html.EscapeStringescapes<,>,&,',", which is sufficient for an element-text context. Apply the same change to v2's(*Ctx).Format().Proof of Concept
Benign JSON
HTML sink enables XSS
Description
Detects when new vulnerabilities affect your dependencies.
Tell us how you wish to proceed using one of the following commands: