Panic Error: bytes.Buffer: truncation out of range

[bonedaddy]

Running a web service scan using acunetix, and the following panic occurred, let me know if there's any other information i can provide

ESC[31m2019/01/03 23:21:03 [Recovery] 2019/01/03 - 23:21:03 panic recovered:
POST /NmConsole/CoreNm/User/DlgUserLogin/DlgUserLogin.asp HTTP/1.1
Host: nuts.rtradetechnologies.com:6767
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.5
Connection: Keep-Alive
Content-Length: 0
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0

bytes.Buffer: truncation out of range
/usr/local/go/src/runtime/panic.go:513 (0x42d8c8)
        gopanic: reflectcall(nil, unsafe.Pointer(d.fn), deferArgs(d), uint32(d.siz), uint32(d.siz))
/usr/local/go/src/bytes/buffer.go:90 (0x11cf716)
        (*XssMw).HandleXFormEncoded: panic("bytes.Buffer: truncation out of range")
/home/rtrade/go/src/github.com/RTradeLtd/Temporal/vendor/github.com/dvwright/xss-mw/xss.go:269 (0x11cf716)
        (*XssMw).HandleXFormEncoded: bq.Truncate(bq.Len() - 1) // remove last '&'
/home/rtrade/go/src/github.com/RTradeLtd/Temporal/vendor/github.com/dvwright/xss-mw/xss.go:194 (0x11cf000)
        (*XssMw).XssRemove: err := mw.HandleXFormEncoded(c)
/home/rtrade/go/src/github.com/RTradeLtd/Temporal/vendor/github.com/dvwright/xss-mw/xss.go:109 (0x11cec39)
        (*XssMw).callRemoveXss: err := mw.XssRemove(c)
/home/rtrade/go/src/github.com/RTradeLtd/Temporal/vendor/github.com/dvwright/xss-mw/xss.go:90 (0x11d2083)
        (*XssMw).RemoveXss.func1: mw.callRemoveXss(c)
/home/rtrade/go/src/github.com/RTradeLtd/Temporal/vendor/github.com/gin-gonic/gin/context.go:109 (0x11b0262)
        (*Context).Next: c.handlers[c.index](c)
/home/rtrade/go/src/github.com/RTradeLtd/Temporal/vendor/github.com/zsais/go-gin-prometheus/middleware.go:364 (0x1237f4e)
        (*Prometheus).HandlerFunc.func1: c.Next()
/home/rtrade/go/src/github.com/RTradeLtd/Temporal/vendor/github.com/gin-gonic/gin/context.go:109 (0x11b0262)
        (*Context).Next: c.handlers[c.index](c)
/home/rtrade/go/src/github.com/RTradeLtd/Temporal/vendor/github.com/gin-gonic/gin/recovery.go:76 (0x11c2949)
        RecoveryWithWriter.func1: c.Next()
/home/rtrade/go/src/github.com/RTradeLtd/Temporal/vendor/github.com/gin-gonic/gin/context.go:109 (0x11b0262)
        (*Context).Next: c.handlers[c.index](c)
/home/rtrade/go/src/github.com/RTradeLtd/Temporal/vendor/github.com/gin-gonic/gin/logger.go:84 (0x11c1681)
        LoggerWithWriter.func1: c.Next()
/home/rtrade/go/src/github.com/RTradeLtd/Temporal/vendor/github.com/gin-gonic/gin/context.go:109 (0x11b0262)
        (*Context).Next: c.handlers[c.index](c)
/home/rtrade/go/src/github.com/RTradeLtd/Temporal/vendor/github.com/gin-gonic/gin/gin.go:419 (0x11b9657)
        serveError: c.Next()
/home/rtrade/go/src/github.com/RTradeLtd/Temporal/vendor/github.com/gin-gonic/gin/gin.go:412 (0x11b938b)
        (*Engine).handleHTTPRequest: serveError(c, http.StatusNotFound, default404Body)
/home/rtrade/go/src/github.com/RTradeLtd/Temporal/vendor/github.com/gin-gonic/gin/gin.go:349 (0x11b8e01)
        (*Engine).ServeHTTP: engine.handleHTTPRequest(c)
/usr/local/go/src/net/http/server.go:2741 (0x6d9c1a)
        serverHandler.ServeHTTP: handler.ServeHTTP(rw, req)
/usr/local/go/src/net/http/server.go:1847 (0x6d5e15)
        (*conn).serve: serverHandler{c.server}.ServeHTTP(w, w.req)
/usr/local/go/src/runtime/asm_amd64.s:1333 (0x45b860)
        goexit: BYTE    $0x90   // NOP
ESC[0m

[dvwright]

Hi @postables Thanks, I'll work on this next.

[bonedaddy]

Thanks! Any idea what's causing the issue?

[dvwright]

It looks like there is a POST on an API end point which this lib is attempting to process, can't and fails badly.

[bonedaddy]

Ah interesting, this is the first issue I've witnessed when using this package. The issue came about running a network scan with acunetix. I've been using this library with post requests for quite some time and have suffered no issues thus far.

[dvwright]

Hi, can you pull the newest changes? I can't reproduce the issue but I made a change which should resolve the issue. Thanks

[bonedaddy]

Awesome thank you very much :D

[dvwright]

Glad it resolved the issue, thanks for the report, cheers!

[bonedaddy]

@dvwright Hey quick follow up, apparently during our testing before we updated to the latest version that you published which fixed the issue, go test -race was reporting a race condition in the XSS middleware, however updating to pull in the panic fix you made, also seemed to resolve the race detection.

Not sure if you want me to open another issue, or provide any of the logs from our travis build that detected the race condition before we updated the dependency.

[bonedaddy]

@dvwright hey I seem to have gotten another issue:

ESC[31m2019/03/02 02:28:59 [Recovery] 2019/03/02 - 02:28:59 panic recovered:
POST /v2/ipfs/public/pin/QmY8VGk1QRd7ko87wk3YscWBRvokzDeH4xobJudCbGNM6B HTTP/1.1
Host: dev.api.temporal.cloud
Accept-Encoding: gzip
Authorization: ........
Content-Length: 0
Content-Type: application/x-www-form-urlencoded
User-Agent: Go-http-client/1.1

bytes.Buffer: truncation out of range
/usr/local/go/src/bytes/buffer.go:92 (0x127774f)
        (*Buffer).Truncate: panic("bytes.Buffer: truncation out of range")
/home/rtrade/go/src/github.com/RTradeLtd/Temporal/vendor/github.com/dvwright/xss-mw/xss.go:269 (0x12774d6)
        (*XssMw).HandleXFormEncoded: bq.Truncate(bq.Len() - 1) // remove last '&'
/home/rtrade/go/src/github.com/RTradeLtd/Temporal/vendor/github.com/dvwright/xss-mw/xss.go:194 (0x1276f9e)
        (*XssMw).XssRemove: err := mw.HandleXFormEncoded(c)
/home/rtrade/go/src/github.com/RTradeLtd/Temporal/vendor/github.com/dvwright/xss-mw/xss.go:109 (0x1276b8f)
        (*XssMw).callRemoveXss: err := mw.XssRemove(c)
/home/rtrade/go/src/github.com/RTradeLtd/Temporal/vendor/github.com/dvwright/xss-mw/xss.go:90 (0x127a173)
        (*XssMw).RemoveXss.func1: mw.callRemoveXss(c)
/home/rtrade/go/src/github.com/RTradeLtd/Temporal/vendor/github.com/gin-gonic/gin/context.go:109 (0x1216f79)
        (*Context).Next: c.handlers[c.index](c)
/home/rtrade/go/src/github.com/RTradeLtd/Temporal/vendor/github.com/gin-gonic/gin/recovery.go:76 (0x1229c29)
        RecoveryWithWriter.func1: c.Next()
/home/rtrade/go/src/github.com/RTradeLtd/Temporal/vendor/github.com/gin-gonic/gin/context.go:109 (0x1216f79)
        (*Context).Next: c.handlers[c.index](c)
/home/rtrade/go/src/github.com/RTradeLtd/Temporal/vendor/github.com/gin-gonic/gin/logger.go:223 (0x1228f30)
        LoggerWithConfig.func1: c.Next()
/home/rtrade/go/src/github.com/RTradeLtd/Temporal/vendor/github.com/gin-gonic/gin/context.go:109 (0x1216f79)
        (*Context).Next: c.handlers[c.index](c)
/home/rtrade/go/src/github.com/RTradeLtd/Temporal/vendor/github.com/gin-gonic/gin/gin.go:387 (0x122055c)
        (*Engine).handleHTTPRequest: c.Next()
/home/rtrade/go/src/github.com/RTradeLtd/Temporal/vendor/github.com/gin-gonic/gin/gin.go:350 (0x121fdb3)
        (*Engine).ServeHTTP: engine.handleHTTPRequest(c)
/usr/local/go/src/net/http/server.go:2774 (0x716e1a)
        serverHandler.ServeHTTP: handler.ServeHTTP(rw, req)
/usr/local/go/src/net/http/server.go:1878 (0x712a2b)
        (*conn).serve: serverHandler{c.server}.ServeHTTP(w, w.req)
/usr/local/go/src/runtime/asm_amd64.s:1337 (0x45bb60)
        goexit: BYTE    $0x90   // NOP
ESC[0m

[dvwright]

Hi @postables Thanks, i'll look into it

[dvwright]

Hi @postables see if this latest commit fixes the issue you found - https://github.com/dvwright/xss-mw/commit/a00cba88ec98902cf5238c857862949dc734fcc1

Thanks