security issue with github.com/gin-gonic/gin

hasura / go-graphql-client

Package graphql provides a GraphQL client implementation.

MIT License

395 stars 91 forks source link

security issue with github.com/gin-gonic/gin #73

Closed rafaelvanoni closed 1 year ago

rafaelvanoni commented 1 year ago

github's dependabot flagged versions < 1.7.0 of github.com/gin-gonic/gin with the following issue

This affects all versions of package github.com/gin-gonic/gin under 1.7.0. When gin is exposed directly to the internet, a client's IP can be spoofed by setting the X-Forwarded-For header.

rafaelvanoni commented 1 year ago

Looks like this is imported as a dependency of nhooyr.io/websocket, is it possible to upgrade that package?

hgiasac commented 1 year ago

There hasn't been any new update from nhooyr.io/websocket. Therefore we can't update as well unless we fork the websocket library to another repository. Reference: https://github.com/nhooyr/websocket/issues?q=gin AFAIK the library uses github.com/gin-gonic/gin for unit tests only. The library is still safe to be used.

rafaelvanoni commented 1 year ago

I was able to work around this with

replace github.com/gin-gonic/gin v1.6.3 => github.com/gin-gonic/gin v1.7.7

hgiasac commented 1 year ago

closed by favor of https://github.com/hasura/go-graphql-client/commit/10471cf9d8df859e36584a8821e5ffc3d91c76b8