8 Uses of deprecated API can be used to cause DoS in user-facing endpoints #1946
Labels
Comments
This was referenced May 10, 2022
Closed
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Several HandleRoute endpoints make use of the deprecated ioutil.ReadAll(). ioutil.ReadAll() reads all the data into memory. As such, an attacker who sends a large request to the Argo Events server will be able to crash it and cause denial of service.
Eventsources susceptible to an out-of-memory denial-of-service attack:
AWS SNS
Bitbucket
Bitbucket Server
Gitlab
Slack
Storagegrid
Webhook
Note that the Stripe Event Source uses ioutil.ReadAll() but limits the size of the request body: https://github.com/argoproj/argo-events/blob/master/eventsources/sources/stripe/start.go#L77
Since io/ioutil has ceased maintenance we recommend discontinuing all use of this package.Severity Medium Difficulty Medium Target
Several HandleRoute endpoints make use of the deprecated ioutil.ReadAll(). ioutil.ReadAll() reads all the data into memory. As such, an attacker who sends a large request to the Argo Events server will be able to crash it and cause denial of service.
Eventsources susceptible to an out-of-memory denial-of-service attack:
AWS SNS
Bitbucket
Bitbucket Server
Gitlab
Slack
Storagegrid
Webhook
Note that the Stripe Event Source uses ioutil.ReadAll() but limits the size of the request body: https://github.com/argoproj/argo-events/blob/master/eventsources/sources/stripe/start.go#L77
Since io/ioutil has ceased maintenance we recommend discontinuing all use of this package.
The text was updated successfully, but these errors were encountered: