Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

use exact matching of allowed domain entries, issue #489 (#493) #503

Merged
merged 1 commit into from
Jul 11, 2022
Merged

use exact matching of allowed domain entries, issue #489 (#493) #503

merged 1 commit into from
Jul 11, 2022

Conversation

L3n41c
Copy link

@L3n41c L3n41c commented Jul 11, 2022

Backport #493 to fix #489 on the v2 stream of go-restful.

Some GO projects might have indirect dependencies to the v2 version of emicklei/go-restful so that upgrading to v3.8.0 isn’t trivial.
See #489 (comment).

@emicklei @L3n41c
use exact matching of allowed domain entries, issue emicklei#489 (emi…
932dd83 
…cklei#493)

* use exact matching of allowed domain entries, issue emicklei#489

* update doc, add testcases from PR conversation

* introduce AllowedDomainFunc emicklei#489

* more tests, fix doc

* lowercase origin before checking cors
@codecov-commenter
Copy link

Codecov Report

Merging #503 (932dd83) into master (d9c71e1) will increase coverage by 0.12%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master     #503      +/-   ##
==========================================
+ Coverage   70.35%   70.47%   +0.12%     
==========================================
  Files          26       26              
  Lines        1545     1531      -14     
==========================================
- Hits         1087     1079       -8     
+ Misses        386      383       -3     
+ Partials       72       69       -3
Impacted Files Coverage Δ
cors_filter.go 63.44% <100.00%> (+0.82%) ⬆️

📣 Codecov can now indicate which changes are the most critical in Pull Requests. Learn more

@cboin1996 cboin1996 mentioned this pull request Jul 11, 2022
Merged
@emicklei
Copy link
Owner

@L3n41c thank you for contributing

@emicklei emicklei merged commit 9266625 into emicklei:master Jul 11, 2022
@L3n41c L3n41c deleted the backport_493 branch July 12, 2022 13:11
@L3n41c L3n41c mentioned this pull request Jul 12, 2022
Merged
9 tasks
@cboin1996 cboin1996 mentioned this pull request Jul 12, 2022
Closed
@Barakmor1 Barakmor1 mentioned this pull request Jul 13, 2022
Merged
@aleclerc-sonrai
Copy link

This is still showing up in trivy (2.16.0 as vulnerable)


+--------------------------------+------------------+----------+----------------------+---------------+--------------------------------------+
|            LIBRARY             | VULNERABILITY ID | SEVERITY |  INSTALLED VERSION   | FIXED VERSION |                TITLE                 |
+--------------------------------+------------------+----------+----------------------+---------------+--------------------------------------+
| github.com/emicklei/go-restful | CVE-2022-1996    | CRITICAL | v2.16.0+incompatible | v3.8.0        | go-restful: Authorization Bypass     |
|                                |                  |          |                      |               | Through User-Controlled Key          |
|                                |                  |          |                      |               | -->avd.aquasec.com/nvd/cve-2022-1996 |
+--------------------------------+------------------+----------+----------------------+---------------+--------------------------------------+```
Does anyone know how to get that updated in the NVD database to add 2.16.0 as laso a 'fixed' version?

Barakmor1 pushed a commit to Barakmor1/kubevirt that referenced this pull request Jul 14, 2022
Bump the version of go-restful to 2.16.0
2cbc394 
Because of a security issue in go-restful v2.15.0
emicklei/go-restful#503
Signed-off-by: bmordeha <bmodeha@redhat.com>
kubevirt-bot pushed a commit to kubevirt-bot/kubevirt that referenced this pull request Jul 17, 2022
Bump the version of go-restful to 2.16.0 Because of a security issue …
a7414f5 
…in go-restful v2.15.0 emicklei/go-restful#503 Signed-off-by: bmordeha <bmodeha@redhat.com>
@kubevirt-bot kubevirt-bot mentioned this pull request Jul 17, 2022
Closed
@emicklei
Copy link
Owner

maybe trivy cannot handle the fact that we have 2 active branches (with and without Go modules).

@paologallinaharbur paologallinaharbur mentioned this pull request Jul 18, 2022
Merged
vasiliy-ul added a commit to vasiliy-ul/containerized-data-importer that referenced this pull request Jul 26, 2022
@vasiliy-ul
Update go-restful to 2.16.0
8d10678 
The updated version fixes 'Authorization Bypass Through User-Controlled
Key' vulnerability (CVE-2022-1996).

References:
emicklei/go-restful#489
emicklei/go-restful#503

Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
@vasiliy-ul vasiliy-ul mentioned this pull request Jul 26, 2022
Merged
kubevirt-bot pushed a commit to kubevirt/containerized-data-importer that referenced this pull request Jul 27, 2022
@vasiliy-ul
Update go-restful to 2.16.0 (#2376)
57fc263 
The updated version fixes 'Authorization Bypass Through User-Controlled
Key' vulnerability (CVE-2022-1996).

References:
emicklei/go-restful#489
emicklei/go-restful#503

Signed-off-by: Vasiliy Ulyanov <vulyanov@suse.de>
This was referenced Sep 2, 2022
Merged
Merged
Merged
@clamoriniere clamoriniere mentioned this pull request Feb 13, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@emicklei emicklei emicklei approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@L3n41c @codecov-commenter @emicklei @aleclerc-sonrai