Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Colly has vulnerabilities with medium criticality #764

Open
m-carneiro opened this issue Apr 20, 2023 · 4 comments
Open

Colly has vulnerabilities with medium criticality #764

m-carneiro opened this issue Apr 20, 2023 · 4 comments

Comments

@m-carneiro
Copy link

CWE-916: Use of Password Hash With Insufficient Computational Effort

On http_backend.go:136

The sha1 hash function is no longer considered secure for cryptographic purposes, as it is vulnerable to attacks such as length extension and collision. To make your hashing more secure, I recommend using a more secure hash function like SHA-256, which is a part of the SHA-2 family, or SHA-3. Here's an example of how to use SHA-256 in Go:

    hasher := sha256.New()
    hasher.Write([]byte(url))
    sum := hasher.Sum(nil)

On instagram.go:99

MD5 is an outdated and insecure cryptographic hash function that is not recommended for security-sensitive applications. To make your hashing more secure, you can use a modern hash function like SHA-256, which is part of the SHA-2 family, or SHA-3. Here's an example of how to use SHA-256 in Go:

    hasher := sha256.New()
    hasher.Write(data)
    sum := hasher.Sum(nil)

Tried to do a pull request but 403.

mtscrnr

@WGH-
Copy link
Collaborator

WGH- commented Apr 20, 2023

On http_backend.go:136

This indeed might me improved.

On instagram.go:99

This code replicates Instagram algorithm that "authenticates" requests. (though the code is likely outdated, and I doubt it works as is since antibot protection has been likely improved since)

Tried to do a pull request but 403.

What do you mean?

@m-carneiro
Copy link
Author

What do you mean?

Permission denied.

> git push -u origin remediating_hashing_vulns
remote: Permission to gocolly/colly.git denied to m-carneiro.
fatal: unable to access 'https://github.com/gocolly/colly.git/': The requested URL returned error: 403

@WGH-
Copy link
Collaborator

WGH- commented Apr 21, 2023

Permission denied.

> git push -u origin remediating_hashing_vulns
remote: Permission to gocolly/colly.git denied to m-carneiro.
fatal: unable to access 'https://github.com/gocolly/colly.git/': The requested URL returned error: 403

In order to contribute, you have to create a fork, push your changes there, and submit a pull request. See https://docs.github.com/en/get-started/quickstart/contributing-to-projects

@Delicious-Bacon
Copy link

Could you also check the net package while at it? It's "high severity".

Dependency
golang.org/x/net

Version
< 0.7.0

Upgrade to
~> 0.7.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants