Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTVnamctamdoNC1ncHBt
Websocket requests did not call AuthenticateMethod
Impact
Depending on implementation, a denial-of-service or privilege escalation vulnerability may occur in software that uses the github.com/ecnepsnai/web package with Web Sockets that have an AuthenticateMethod.
The AuthenticateMethod is not called, and UserData will be nil in request methods. Attempts to read the UserData may result in a panic.
This issue only affects web sockets where an AuthenticateMethod is supplied to the handle options. Users who do not use web sockets, or users who do not require authentication are not at risk.
Example
In the example below, one would expect that the AuthenticateMethod function would be called for each request to /example
handleOptions := web.HandleOptions{
AuthenticateMethod: func(request *http.Request) interface{} {
// Assume there is logic here to check for an active sessions, look at cookies or headers, etc...
var session Session{} // Example
return session
},
}
server.Socket("/example", handle, handleOptions)
However, the method is not called, and therefor the UserData parameter of the request object in the handle will be nil, when it would have been expected to be the session object we returned.
Patches
Release v1.5.2 fixes this vulnerability. The authenticate method is now called for websocket requests.
All users of the web package should update to v1.5.2 or later.
Workarounds
You may work around this issue by making the authenticate method a named function, then calling that function at the start of the handle method for the websocket. Reject connections when the return value of the method is nil.
Permalink: https://github.com/advisories/GHSA-5gjg-jgh4-gppmJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTVnamctamdoNC1ncHBt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: about 1 year ago
Identifiers: GHSA-5gjg-jgh4-gppm
References:
- https://github.com/ecnepsnai/web/security/advisories/GHSA-5gjg-jgh4-gppm
- https://github.com/ecnepsnai/web/commit/5a78f8d5c41ce60dcf9f61aaf47a7a8dc3e0002f
- https://pkg.go.dev/vuln/GO-2021-0107
- https://github.com/advisories/GHSA-5gjg-jgh4-gppm
Blast Radius: 0.0
Affected Packages
go:github.com/ecnepsnai/web
Dependent packages: 1Dependent repositories: 2
Downloads:
Affected Version Ranges: >= 1.4.0, < 1.5.2
Fixed in: 1.5.2
All affected versions: 1.4.0, 1.5.0, 1.5.1
All unaffected versions: 1.3.3, 1.5.2, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.8.0, 1.8.1, 1.8.2, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.10.0, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4