A race condition in go-resty can result in HTTP request body disclosure across requests.
This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request.
The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.
Release Notes
go-resty/resty (github.com/go-resty/resty/v2)
### [`v2.11.0`](https://togithub.com/go-resty/resty/releases/tag/v2.11.0): Release
[Compare Source](https://togithub.com/go-resty/resty/compare/v2.10.0...v2.11.0)
### Release Notes
#### Bug Fixes
- Security: Don't put the same bytes.Buffer into sync.Pool twice by [@lattwood](https://togithub.com/lattwood) in [https://github.com/go-resty/resty/pull/745](https://togithub.com/go-resty/resty/pull/745), [#764](https://togithub.com/go-resty/resty/issues/764), [#756](https://togithub.com/go-resty/resty/issues/756)
- fix: Improve Digest WWW-Authenticate response header parsing compatibility by [@bearki](https://togithub.com/bearki) in [https://github.com/go-resty/resty/pull/735](https://togithub.com/go-resty/resty/pull/735)
#### New Contributors
- [@lattwood](https://togithub.com/lattwood) made their first contribution in [https://github.com/go-resty/resty/pull/745](https://togithub.com/go-resty/resty/pull/745)
- [@bearki](https://togithub.com/bearki) made their first contribution in [https://github.com/go-resty/resty/pull/735](https://togithub.com/go-resty/resty/pull/735)
**Full Changelog**: https://github.com/go-resty/resty/compare/v2.10.0...v2.11.0
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
v2.10.0->v2.11.0GitHub Vulnerability Alerts
CVE-2023-45286
A race condition in go-resty can result in HTTP request body disclosure across requests.
This condition can be triggered by calling sync.Pool.Put with the same *bytes.Buffer more than once, when request retries are enabled and a retry occurs. The call to sync.Pool.Get will then return a bytes.Buffer that hasn't had bytes.Buffer.Reset called on it. This dirty buffer will contain the HTTP request body from an unrelated request, and go-resty will append the current HTTP request body to it, sending two bodies in one request.
The sync.Pool in question is defined at package level scope, so a completely unrelated server could receive the request body.
Release Notes
go-resty/resty (github.com/go-resty/resty/v2)
### [`v2.11.0`](https://togithub.com/go-resty/resty/releases/tag/v2.11.0): Release [Compare Source](https://togithub.com/go-resty/resty/compare/v2.10.0...v2.11.0) ### Release Notes #### Bug Fixes - Security: Don't put the same bytes.Buffer into sync.Pool twice by [@lattwood](https://togithub.com/lattwood) in [https://github.com/go-resty/resty/pull/745](https://togithub.com/go-resty/resty/pull/745), [#764](https://togithub.com/go-resty/resty/issues/764), [#756](https://togithub.com/go-resty/resty/issues/756) - fix: Improve Digest WWW-Authenticate response header parsing compatibility by [@bearki](https://togithub.com/bearki) in [https://github.com/go-resty/resty/pull/735](https://togithub.com/go-resty/resty/pull/735) #### New Contributors - [@lattwood](https://togithub.com/lattwood) made their first contribution in [https://github.com/go-resty/resty/pull/745](https://togithub.com/go-resty/resty/pull/745) - [@bearki](https://togithub.com/bearki) made their first contribution in [https://github.com/go-resty/resty/pull/735](https://togithub.com/go-resty/resty/pull/735) **Full Changelog**: https://github.com/go-resty/resty/compare/v2.10.0...v2.11.0Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.