Skip to content
This repository has been archived by the owner on May 24, 2023. It is now read-only.

Gosec G108 (CWE-200): Profiling endpoint is automatically exposed on /debug/pprof #27

Open
scjudd opened this issue Dec 9, 2020 · 0 comments
Open

Gosec G108 (CWE-200): Profiling endpoint is automatically exposed on /debug/pprof #27

scjudd opened this issue Dec 9, 2020 · 0 comments

Comments

@scjudd
Copy link

scjudd commented Dec 9, 2020 

$ gosec ./...
[gosec] 2020/12/09 12:31:31 Including rules: default
[gosec] 2020/12/09 12:31:31 Excluding rules: default
[gosec] 2020/12/09 12:31:31 Import directory: /home/user/Sources/logstash_exporter/collector
[gosec] 2020/12/09 12:31:31 Checking package: collector
[gosec] 2020/12/09 12:31:31 Checking file: /home/user/Sources/logstash_exporter/collector/api_base.go
[gosec] 2020/12/09 12:31:31 Checking file: /home/user/Sources/logstash_exporter/collector/logstash.go
[gosec] 2020/12/09 12:31:31 Checking file: /home/user/Sources/logstash_exporter/collector/nodeinfo_api.go
[gosec] 2020/12/09 12:31:31 Checking file: /home/user/Sources/logstash_exporter/collector/nodeinfo_collector.go
[gosec] 2020/12/09 12:31:31 Checking file: /home/user/Sources/logstash_exporter/collector/nodestats_api.go
[gosec] 2020/12/09 12:31:31 Checking file: /home/user/Sources/logstash_exporter/collector/nodestats_collector.go
[gosec] 2020/12/09 12:31:31 Import directory: /home/user/Sources/logstash_exporter
[gosec] 2020/12/09 12:31:32 Checking package: main
[gosec] 2020/12/09 12:31:32 Checking file: /home/user/Sources/logstash_exporter/logstash_exporter.go
Results:


[/home/user/Sources/logstash_exporter/logstash_exporter.go:5] - G108 (CWE-200): Profiling endpoint is automatically exposed on /debug/pprof (Confidence: HIGH, Severity: HIGH)
    4: 	"net/http"
  > 5: 	_ "net/http/pprof"
    6: 	"sync"



Summary:
   Files: 7
   Lines: 1361
   Nosec: 0
  Issues: 1

And indeed, browsing http://localhost:9198/debug/pprof/ leaks a bunch of info. Can we remove this?
@scjudd scjudd changed the title GoSec G108 (CWE-200): Profiling endpoint is automatically exposed on /debug/pprof Gosec G108 (CWE-200): Profiling endpoint is automatically exposed on /debug/pprof Dec 9, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@scjudd