Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix vulnerabilities CWE-113 (issue #4208 issue #4209) #4210

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Fix vulnerabilities CWE-113 (issue #4208 issue #4209) #4210

wants to merge 3 commits into from

Conversation

omordyk
Copy link

@omordyk omordyk commented Dec 16, 2024
edited
Loading

Description

Software places user-controlled input in HTTP headers. An attacker could inject line separators (CR/LF sequences) that could split the response message generated by the software into two messages. The second response is completely under the control of the attacker (intermediate web proxies may cache it), with could produce multiple conditions (web defacement, cache poisoning, cross-site scripting or page hijacking, see CWE-113 for full details). If software needs to generate HTTP headers depending on user-controlled input, such input should be properly neutralized (a white-list validation excluding CR/LF is recommended). Please note that cookies are received and sent in 'Cookie' header in HTTP messages, so if the software generates a Cookie from user input, the input should be properly validated as well.

issue #4208
issue #4209

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

make and make test

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules
  • I have checked my code and corrected any misspellings
  • I have tagged the reviewers in a comment below incase my pull request is ready for a review
  • I have signed the commit message to agree to Developer Certificate of Origin (DCO) (to certify that you wrote or otherwise have the right to submit your contribution to the project.) by adding "--signoff" to my git commit command.

@omordyk
Issue #4208 - Fix vulnerability CWE-113
8fca536 
Signed-off-by: Oleksandr Mordyk <oleksandr.mordyk1994@outlook.com>
@omordyk
Issue #4209 - Fix vulnerability CWE-113
17fceea 
Signed-off-by: Oleksandr Mordyk <oleksandr.mordyk1994@outlook.com>
@omordyk
Merge branch 'master' into security_4208_4209
a65fe73
This was referenced Dec 16, 2024
Open
Open
This was linked to issues Dec 16, 2024
Vulnerability CWE-113 agreementbot/api.go:325 #4208
Open
Vulnerability CWE-113 api/api.go:140 #4209
Open
@omordyk omordyk self-assigned this Dec 16, 2024
@omordyk
Copy link
Author

omordyk commented Dec 18, 2024

Ran SAST(Contrast) and checked that vulnerabilities were fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@geforcelive2 geforcelive2 Awaiting requested review from geforcelive2

@LiilyZhang LiilyZhang Awaiting requested review from LiilyZhang

@dlarson04 dlarson04 Awaiting requested review from dlarson04

At least 1 approving review is required to merge this pull request.

Assignees

@omordyk omordyk

Labels
security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Vulnerability CWE-113 api/api.go:140 Vulnerability CWE-113 agreementbot/api.go:325
1 participant
@omordyk