Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix the GO-2022-1144 vulnerability #3432

Merged
merged 1 commit into from
Dec 21, 2022

Conversation

mstmdev
Copy link
Contributor

@mstmdev mstmdev commented Dec 10, 2022

Scan Vulnerability Database with the following command

$ go install golang.org/x/vuln/cmd/govulncheck@latest
$ govulncheck ./...
Vulnerability #1: GO-2022-1144
  An attacker can cause excessive memory growth in a Go server
  accepting HTTP/2 requests. HTTP/2 server connections contain a
  cache of HTTP header keys sent by the client. While the total
  number of entries in this cache is capped, an attacker sending
  very large keys can cause the server to allocate approximately
  64 MiB per open connection.

  Call stacks in your code:
      gin.go:561:18: github.com/gin-gonic/gin.Engine.RunListener calls net/http.Serve, which eventually calls golang.org/x/net/http2.Server.ServeConn

  Found in: golang.org/x/net/http2@v0.0.0-20221004154528-8021a29435af
  Fixed in: golang.org/x/net/http2@v0.4.0
  More info: https://pkg.go.dev/vuln/GO-2022-1144

@mstmdev
Copy link
Contributor Author

mstmdev commented Dec 10, 2022

Fixes #3431

@codecov
Copy link

codecov bot commented Dec 10, 2022

Codecov Report

Merging #3432 (2833734) into master (cc367f9) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master    #3432   +/-   ##
=======================================
  Coverage   98.27%   98.27%           
=======================================
  Files          42       42           
  Lines        3137     3137           
=======================================
  Hits         3083     3083           
  Misses         40       40           
  Partials       14       14           
Flag Coverage Δ
98.27% <ø> (ø)
go-1.16 ∅ <ø> (∅)
go-1.17 98.18% <ø> (ø)
go-1.18 98.18% <ø> (ø)
go-1.19 98.27% <ø> (ø)
macos-latest 98.27% <ø> (ø)
ubuntu-latest 98.27% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@mstmdev mstmdev changed the title Fix the GO-2022-1144 Vulnerability Fix the GO-2022-1144 vulnerability Dec 10, 2022
@appleboy appleboy modified the milestones: v1.8.2, v1.9 Dec 21, 2022
@appleboy appleboy merged commit d4caeee into gin-gonic:master Dec 21, 2022
@appleboy appleboy modified the milestones: v1.9, v1.8.2 Dec 21, 2022
@mstmdev mstmdev deleted the fix-vulnerability-go-2022-1144 branch December 21, 2022 10:22
@appleboy
Copy link
Member

thxCode pushed a commit to seal-io/gin that referenced this pull request Feb 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants