search

penguin-statistics / backend-next

The refactored Penguin Statistics v3 Backend. Built with Go, fiber, bun and go.uber.org/fx. Uses NATS as MQ and Redis as state synchronization.
MIT License
176 stars 19 forks source link

fix(deps): update module github.com/gofiber/fiber/v2 to v2.50.0 [security] - autoclosed #499

Closed renovate[bot] closed 11 months ago

renovate[bot] commented 1 year ago

Mend Renovate logo banner

This PR contains the following updates:

Package Type Update Change
github.com/gofiber/fiber/v2 require minor v2.49.2 -> v2.50.0

GitHub Vulnerability Alerts

CVE-2023-45128

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application.

Vulnerability Details

The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. The following issues were identified:

  1. Token Injection: For 'safe' methods, the token was extracted from the cookie and saved to storage without further validation or sanitization.

  2. Lack of Token Association: The CSRF token was validated against tokens in storage but not associated with a session, nor by using a Double Submit Cookie Method, allowing for token reuse.

Specific Go Packages Affected

github.com/gofiber/fiber/v2/middleware/csrf

Remediation

To remediate this vulnerability, it is recommended to take the following actions:

  1. Update the Application: Upgrade the application to a fixed version with a patch for the vulnerability.

  2. Implement Proper CSRF Protection: Review the updated documentation and ensure your application's CSRF protection mechanisms follow best practices.

  3. Choose CSRF Protection Method: Select the appropriate CSRF protection method based on your application's requirements, either the Double Submit Cookie method or the Synchronizer Token Pattern using sessions.

  4. Security Testing: Conduct a thorough security assessment, including penetration testing, to identify and address any other security vulnerabilities.

Defence-in-depth

Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes.

CVE-2023-45141

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions being taken on the user's behalf, potentially compromising the security and integrity of the application.

Vulnerability Details

The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. The following issues were identified:

  1. Lack of Token Association: The CSRF token was validated against tokens in storage but was not tied to the original requestor that generated it, allowing for token reuse.

Specific Go Packages Affected

github.com/gofiber/fiber/v2/middleware/csrf

Remediation

To remediate this vulnerability, it is recommended to take the following actions:

  1. Update the Application: Upgrade the application to a fixed version with a patch for the vulnerability.

  2. Implement Proper CSRF Protection: Review the updated documentation and ensure your application's CSRF protection mechanisms follow best practices.

  3. Choose CSRF Protection Method: Select the appropriate CSRF protection method based on your application's requirements, either the Double Submit Cookie method or the Synchronizer Token Pattern using sessions.

  4. Security Testing: Conduct a thorough security assessment, including penetration testing, to identify and address any other security vulnerabilities.

Defence-in-depth

Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes.

Release Notes

gofiber/fiber (github.com/gofiber/fiber/v2) ### [`v2.50.0`](https://togithub.com/gofiber/fiber/releases/tag/v2.50.0) [Compare Source](https://togithub.com/gofiber/fiber/compare/v2.49.2...v2.50.0) #### โ— Breaking Changes - Change signatures of GetReqHeaders and GetRespHeaders ([#​2650](https://togithub.com/gofiber/fiber/issues/2650)) > To allow single and list values under headers according to the [rfc standard](https://datatracker.ietf.org/doc/html/rfc9110#section-5.2) ```diff - func (c *Ctx) GetReqHeaders() map[string]string + func (c *Ctx) GetReqHeaders() map[string][]string ``` ```diff - func (c *Ctx) GetRespHeaders() map[string]string + func (c *Ctx) GetRespHeaders() map[string][]string ``` #### ๐Ÿ‘ฎ Security
Middleware/csrf: Token Vulnerability (GHSA-mv73-f69x-444p, GHSA-94w9-97p3-p368) https://docs.gofiber.io/api/middleware/csrf ๐Ÿš€ Improvements to the CSRF middleware: - Added support for single-use tokens through the `SingleUseToken` configuration option. - Optional integration with GoFiber session middleware through the `Session` and `SessionKey` configuration options. - Introduction of origin checks for HTTPS connections to verify referer headers. - Implementation of a Double Submit Cookie approach for CSRF token generation and validation when used without `Session`. - Enhancement of error handling with more descriptive error messages. - The documentation for the CSRF middleware has been enhanced with the addition of the new options and best practices to improve security. Thank you [@​sixcolors](https://togithub.com/sixcolors)
#### ๐Ÿš€ New - Cookie parser ([#​2656](https://togithub.com/gofiber/fiber/issues/2656)) https://docs.gofiber.io/api/ctx#cookieparser ```go // Field names should start with an uppercase letter type Person struct { Name string `cookie:"name"` Age int `cookie:"age"` Job bool `cookie:"job"` } // Example route app.Get("/", func(c *fiber.Ctx) error { p := new(Person) // This method is similar to BodyParser, but for cookie parameters if err := c.CookieParser(p); err != nil { return err } log.Println(p.Name) // Joseph log.Println(p.Age) // 23 log.Println(p.Job) // true }) ``` - Middleware/cors: Allow disabling caching in preflight requests ([#​2649](https://togithub.com/gofiber/fiber/issues/2649)) https://docs.gofiber.io/api/middleware/cors#config ```go // To disable caching completely, pass MaxAge value negative. It will set the Access-Control-Max-Age header 0. app.Use(cors.New(cors.Config{MaxAge: -1})) ``` - Middleware/session: Add Reset method to Session struct in session middleware ([#​2654](https://togithub.com/gofiber/fiber/issues/2654)) https://docs.gofiber.io/api/middleware/session#signatures ```go // Provide more flexibility in session management, especially in scenarios like repeated user logins func (s *Session) Reset() error ``` Example usage: ```go // Initialize default config // This stores all of your app's sessions store := session.New() app.Post("/login", func(c *fiber.Ctx) error { // Get session from storage sess, err := store.Get(c) if err != nil { panic(err) } // ... validate login ... // Check if the session is fresh if !sess.Fresh() { // If the session is not fresh, reset it if err := sess.Reset(); err != nil { panic(err) } } // Set new session data sess.Set("user_id", user.ID) // Save session if err := sess.Save(); err != nil { panic(err) } return c.SendString(fmt.Sprintf("Welcome %v", user.ID)) }) ``` - Middleware/session: Add Delete method to Store struct in session middleware ([#​2655](https://togithub.com/gofiber/fiber/issues/2655)) https://docs.gofiber.io/api/middleware/session#signatures ```go // Provide more control over individual session management, especially in scenarios // like administrator-enforced user logout or user-initiated logout from a specific device session func (s *Store) Delete(id string) error ``` Example usage: ```go app.Post("/admin/session/:id/logout", func(c *fiber.Ctx) error { // Get session id from request sessionID := c.Params("id") // Delete the session if err := store.Delete(sessionID); err != nil { return c.Status(500).SendString(err.Error()) } return c.SendString("Logout successful") }) ``` #### ๐Ÿงน Updates - Middleware/filesystem: Improve status for SendFile ([#​2664](https://togithub.com/gofiber/fiber/issues/2664)) - Middleware/filesystem: Set response code ([#​2632](https://togithub.com/gofiber/fiber/issues/2632)) - Refactor Ctx.Method func to improve code readability ([#​2647](https://togithub.com/gofiber/fiber/issues/2647)) #### ๐Ÿ› ๏ธ Maintenance - Fix loop variable captured by func literal ([#​2660](https://togithub.com/gofiber/fiber/issues/2660)) - Run gofumpt and goimports ([#​2662](https://togithub.com/gofiber/fiber/issues/2662)) - Use utils.AssertEqual instead of t.Fatal on some tests ([#​2653](https://togithub.com/gofiber/fiber/issues/2653)) - Apply go fix ./... with latest version of go in repository ([#​2661](https://togithub.com/gofiber/fiber/issues/2661)) - Bump github.com/valyala/fasthttp from 1.49.0 to 1.50.0 ([#​2634](https://togithub.com/gofiber/fiber/issues/2634)) - Bump golang.org/x/sys from 0.12.0 to 0.13.0 ([#​2665](https://togithub.com/gofiber/fiber/issues/2665)) #### ๐Ÿ› Fixes - Path checking on route naming ([#​2676](https://togithub.com/gofiber/fiber/issues/2676)) - Incorrect log depth when use log.WithContext ([#​2666](https://togithub.com/gofiber/fiber/issues/2666)) - Jsonp ignoring custom json encoder ([#​2658](https://togithub.com/gofiber/fiber/issues/2658)) - PassLocalsToView when bind parameter is nil ([#​2651](https://togithub.com/gofiber/fiber/issues/2651)) - Parse ips return invalid in abnormal case ([#​2642](https://togithub.com/gofiber/fiber/issues/2642)) - Bug parse custom header ([#​2638](https://togithub.com/gofiber/fiber/issues/2638)) - Middleware/adaptor: Reduce memory usage by replacing io.ReadAll() with io.Copy() ([#​2637](https://togithub.com/gofiber/fiber/issues/2637)) - Middleware/idempotency: Nil pointer dereference issue on idempotency middleware ([#​2668](https://togithub.com/gofiber/fiber/issues/2668)) #### ๐Ÿ“š Documentation - Incorrect status code source ([#​2667](https://togithub.com/gofiber/fiber/issues/2667)) - Middleware/requestid: Typo in requestid.md ([#​2675](https://togithub.com/gofiber/fiber/issues/2675)) - Middleware/cors: Update docs to better explain AllowOriginsFunc ([#​2652](https://togithub.com/gofiber/fiber/issues/2652)) **Full Changelog**: https://github.com/gofiber/fiber/compare/v2.49.2...v2.50.0 Thank you [@​KaptinLin](https://togithub.com/KaptinLin), [@​Skyenought](https://togithub.com/Skyenought), [@​cuipeiyu](https://togithub.com/cuipeiyu), [@​dairlair](https://togithub.com/dairlair), [@​efectn](https://togithub.com/efectn), [@​gaby](https://togithub.com/gaby), [@​geerew](https://togithub.com/geerew), [@​huykn](https://togithub.com/huykn), [@​jimmyl02](https://togithub.com/jimmyl02), [@​joey1123455](https://togithub.com/joey1123455), [@​joshlarsen](https://togithub.com/joshlarsen), [@​jscappini](https://togithub.com/jscappini), [@​peczenyj](https://togithub.com/peczenyj) and [@​sixcolors](https://togithub.com/sixcolors) for making this update possible.

Configuration

๐Ÿ“… Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

๐Ÿšฆ Automerge: Disabled by config. Please merge this manually once you are satisfied.

โ™ป Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

๐Ÿ”• Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.