search

microsoft / go-mssqldb

Microsoft SQL server driver written in go language
BSD 3-Clause "New" or "Revised" License
283 stars 63 forks source link

Vulnerabilty dependency x/net #203

Closed tulioncds closed 3 months ago

tulioncds commented 3 months ago

CVE-2023-45288: https://osv.dev/vulnerability/GHSA-4v7x-pqxf-cx7m

Summary net/http, x/net/http2: close connections when receiving too many headers

Details An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

shueybubbles commented 3 months ago

@tulioncds thx for the PR. Missing a go mod tidy

Error: ../../../go/pkg/mod/github.com/!azure/azure-sdk-for-go/sdk/azcore@v1.9.1/runtime/transport_default_http_client.go:15:2: missing go.sum entry for module providing package golang.org/x/net/http2 (imported by github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime); to add:
    go get github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime@v1.9.1
Error: ../../../go/pkg/mod/github.com/jcmturner/rpc/v2@v2.0.3/mstypes/claims.go:10:2: missing go.sum entry for module providing package golang.org/x/net/http2/hpack (imported by github.com/jcmturner/rpc/v2/mstypes); to add:
    go get github.com/jcmturner/rpc/v2/mstypes@v2.0.3
Error: Process completed with exit code 1.
tulioncds commented 3 months ago

@tulioncds please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

  • (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.
@microsoft-github-policy-service agree
  • (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.
@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement

@microsoft-github-policy-service agree

codecov-commenter commented 3 months ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 74.74%. Comparing base (2395b78) to head (f820109).

Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #203 +/- ## ======================================= Coverage 74.74% 74.74% ======================================= Files 32 32 Lines 6379 6379 ======================================= Hits 4768 4768 Misses 1327 1327 Partials 284 284 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.