spf13 / viper

Go configuration with fangs
MIT License
27.25k stars 2.02k forks source link

[Vulnerability] gorilla/websocket 1.4.0 #898

Closed jpmcb closed 4 years ago

jpmcb commented 4 years ago

This issue is related to an issue in spf13/cobra: https://github.com/spf13/cobra/issues/1091

There appears to be a vulnerability in gorilla 1.4.0

$ go mod why -m github.com/gorilla/websocket
...
# github.com/gorilla/websocket
github.com/spf13/viper/remote
github.com/bketelsen/crypt/config
github.com/bketelsen/crypt/backend/etcd
github.com/coreos/etcd/client
github.com/coreos/etcd/client.test
github.com/coreos/etcd/integration
github.com/coreos/etcd/embed
github.com/tmc/grpc-websocket-proxy/wsproxy
github.com/gorilla/websocket
sagikazarmark commented 4 years ago

Fixed in #899

DarthHater commented 4 years ago

Hi there! Can y'all cut a new release of Viper that pins to the newer version? It's great this got merged but upstream consumption is still stuck on 1.6.3 which is still pointed at 1.4.0 for gorilla/websocket.

sagikazarmark commented 4 years ago

@DarthHater it shouldn't matter. Because of MVS this only means your app needs minimum 1.4.0, but ideally it should install the latest.

DarthHater commented 4 years ago

That's not what I'm experiencing locally. For example:

Output of go list -m all:

$ go list -m all
github.com/sonatype-nexus-community/hashbrowns
cloud.google.com/go v0.26.0
github.com/BurntSushi/toml v0.3.1
github.com/Flaque/filet v0.0.0-20190209224823-fc4d33cfcf93
github.com/Masterminds/semver v0.0.0-20180403130225-3c92f33da7a8
github.com/Masterminds/vcs v1.13.1
github.com/OneOfOne/xxhash v1.2.2
github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc
github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf
github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6
github.com/armon/go-radix v1.0.0
github.com/beevik/etree v1.1.0
github.com/beorn7/perks v1.0.0
github.com/boltdb/bolt v1.3.1
github.com/cespare/xxhash v1.1.0
github.com/client9/misspell v0.3.4
github.com/common-nighthawk/go-figure v0.0.0-20190529165535-67e0ed34491a
github.com/coreos/bbolt v1.3.2
github.com/coreos/etcd v3.3.13+incompatible
github.com/coreos/go-semver v0.2.0
github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e
github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f
github.com/cpuguy83/go-md2man/v2 v2.0.0
github.com/davecgh/go-spew v1.1.1
github.com/dgrijalva/jwt-go v3.2.0+incompatible
github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954
github.com/fsnotify/fsnotify v1.4.9
github.com/ghodss/yaml v1.0.0
github.com/go-kit/kit v0.8.0
github.com/go-logfmt/logfmt v0.4.0
github.com/go-stack/stack v1.8.0
github.com/gogo/protobuf v1.2.1
github.com/golang/dep v0.5.4
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef
github.com/golang/mock v1.1.1
github.com/golang/protobuf v1.3.1
github.com/google/btree v1.0.0
github.com/google/go-cmp v0.4.0
github.com/google/gofuzz v1.0.0
github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1
github.com/gorilla/websocket v1.4.0
github.com/grpc-ecosystem/go-grpc-middleware v1.0.0
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
github.com/grpc-ecosystem/grpc-gateway v1.9.0
github.com/hashicorp/hcl v1.0.0
github.com/inconshreveable/mousetrap v1.0.0
github.com/jarcoal/httpmock v1.0.5
github.com/jmank88/nuts v0.3.0
github.com/jonboulle/clockwork v0.1.0
github.com/json-iterator/go v1.1.9
github.com/jtolds/gls v4.20.0+incompatible
github.com/julienschmidt/httprouter v1.2.0
github.com/kisielk/errcheck v1.1.0
github.com/kisielk/gotool v1.0.0
github.com/konsorten/go-windows-terminal-sequences v1.0.3
github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515
github.com/kr/pretty v0.1.0
github.com/kr/pty v1.1.1
github.com/kr/text v0.1.0
github.com/logrusorgru/aurora v0.0.0-20190803045625-94edacc10f9b
github.com/magiconair/properties v1.8.1
github.com/matttproud/golang_protobuf_extensions v1.0.1
github.com/mitchellh/go-homedir v1.1.0
github.com/mitchellh/mapstructure v1.3.0
github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421
github.com/modern-go/reflect2 v1.0.1
github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223
github.com/nightlyone/lockfile v0.0.0-20180618180623-0ad87eef1443
github.com/oklog/ulid v1.3.1
github.com/package-url/packageurl-go v0.1.0
github.com/pelletier/go-toml v1.7.0
github.com/pkg/errors v0.8.0
github.com/pmezard/go-difflib v1.0.0
github.com/prometheus/client_golang v0.9.3
github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90
github.com/prometheus/common v0.4.0
github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084
github.com/prometheus/tsdb v0.7.1
github.com/recoilme/pudge v1.0.3
github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af
github.com/russross/blackfriday/v2 v2.0.1
github.com/sdboyer/constext v0.0.0-20170321163424-836a14457353
github.com/shopspring/decimal v1.2.0
github.com/shurcooL/sanitized_anchor_name v1.0.0
github.com/sirupsen/logrus v1.5.0
github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d
github.com/smartystreets/goconvey v1.6.4
github.com/soheilhy/cmux v0.1.4
github.com/sonatype-nexus-community/nancy v0.2.3
github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72
github.com/spf13/afero v1.2.2
github.com/spf13/cast v1.3.1
github.com/spf13/cobra v1.0.0
github.com/spf13/jwalterweatherman v1.1.0
github.com/spf13/pflag v1.0.5
github.com/spf13/viper v1.6.3
github.com/stretchr/objx v0.1.1
github.com/stretchr/testify v1.5.1
github.com/subosito/gotenv v1.2.0
github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5
github.com/ugorji/go v1.1.4
github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2
github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77
go.etcd.io/bbolt v1.3.2
go.uber.org/atomic v1.4.0
go.uber.org/multierr v1.1.0
go.uber.org/zap v1.10.0
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2
golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3
golang.org/x/net v0.0.0-20190522155817-f3200d17e092
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be
golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a
golang.org/x/sys v0.0.0-20200430202703-d923437fa56d
golang.org/x/text v0.3.2
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4
golang.org/x/tools v0.0.0-20190328211700-ab21143f2384
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543
google.golang.org/appengine v1.1.0
google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8
google.golang.org/grpc v1.21.0
gopkg.in/alecthomas/kingpin.v2 v2.2.6
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127
gopkg.in/go-playground/assert.v1 v1.2.1
gopkg.in/ini.v1 v1.55.0
gopkg.in/resty.v1 v1.12.0
gopkg.in/yaml.v2 v2.2.8
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099

Output of go get -u:

$ go get -u -v
go: golang.org/x/sys upgrade => v0.0.0-20200430202703-d923437fa56d
go: gopkg.in/yaml.v2 upgrade => v2.2.8
go: github.com/pelletier/go-toml upgrade => v1.7.0
go: github.com/shopspring/decimal upgrade => v1.2.0
go: github.com/mitchellh/mapstructure upgrade => v1.3.0
go: github.com/spf13/pflag upgrade => v1.0.5
go: github.com/fsnotify/fsnotify upgrade => v1.4.9
go: github.com/konsorten/go-windows-terminal-sequences upgrade => v1.0.3
go: github.com/spf13/jwalterweatherman upgrade => v1.1.0
go: github.com/spf13/cast upgrade => v1.3.1
go: golang.org/x/text upgrade => v0.3.2
go: github.com/magiconair/properties upgrade => v1.8.1
go: github.com/sirupsen/logrus upgrade => v1.5.0
go: github.com/spf13/viper upgrade => v1.6.3
go: github.com/spf13/afero upgrade => v1.2.2
go: gopkg.in/ini.v1 upgrade => v1.55.0

Output of go get -u github.com/gorilla/websocket:

$ go get -u github.com/gorilla/websocket
go: github.com/gorilla/websocket upgrade => v1.4.2

Output of go list -m all looks good at that point HOWEVER if you run go mod tidy, you go right back to square one at that point. Leads me into a bit of a catch22.