Security: Don't put the same bytes.Buffer into sync.Pool twice #745
Conversation
|
This closes #739 as well. Now that I’m thinking about it, this is a security issue, as it’s disclosing a HTTP body to an unrelated endpoints/servers. |
lattwood
changed the title
|
@jeevatkm Able to take a look here when you have a moment? |
|
@jeevatkm pls merge |
|
Any updates on this ticket? |
|
Your best bet is going to be forking this, or moving to a different library, based on how long this issue has been open. |
|
Yeah we are moving. Not only is the CVE a big problem, after the update to 2.10 we experienced fun bugs where the json request body of a previous or the same request (could not tell) was copied in the host part of the request URL. This occurred when multiple request were running concurrently and we changed nothing but the resty upgrade. Was fine for two years. I cannot prove it as I could not recreate the bug but a downgrade to 2.9.1 immediately solved the problem. It could be a side effect of this buffer problem but as i cannot prove it i won't open a new thread. Just wanted to state it if somebody else experiences something different and has more time at hands to test it through. Here is an example log from our kibana: Because of the Here is my example gist where i could not recreate the problem and my time budget was done: https://gist.github.com/niksteff/2fd29672a24372782627d99ba2016031 |
|
For everyone that needs a quick fix without downgrading to v2.9.1: replace github.com/go-resty/resty/v2 => github.com/lattwood/resty/v2 v2.0.0-20231102200459-74e9e135ae0cPut the above line into your |
|
Any timeline as to when this PR will be merged? |
|
@lattwood and members on the PR - Thanks for reaching out. I have been traveling on vacation days and will return from vacation in the first week of January. Let me merge this PR and make a release. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## v2 #745 +/- ##
==========================================
- Coverage 96.51% 96.51% -0.01%
==========================================
Files 12 12
Lines 1637 1636 -1
==========================================
- Hits 1580 1579 -1
Misses 36 36
Partials 21 21 ☔ View full report in Codecov by Sentry. |
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [github.com/go-resty/resty/v2](https://togithub.com/go-resty/resty) | `v2.10.0` -> `v2.11.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>go-resty/resty (github.com/go-resty/resty/v2)</summary> ### [`v2.11.0`](https://togithub.com/go-resty/resty/releases/tag/v2.11.0): Release [Compare Source](https://togithub.com/go-resty/resty/compare/v2.10.0...v2.11.0) ### Release Notes #### Bug Fixes - Security: Don't put the same bytes.Buffer into sync.Pool twice by [@​lattwood](https://togithub.com/lattwood) in [go-resty/resty#745, [#​764](https://togithub.com/go-resty/resty/issues/764), [#​756](https://togithub.com/go-resty/resty/issues/756) - fix: Improve Digest WWW-Authenticate response header parsing compatibility by [@​bearki](https://togithub.com/bearki) in [go-resty/resty#735 #### New Contributors - [@​lattwood](https://togithub.com/lattwood) made their first contribution in [go-resty/resty#745 - [@​bearki](https://togithub.com/bearki) made their first contribution in [go-resty/resty#735 **Full Changelog**: go-resty/resty@v2.10.0...v2.11.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/Michsior14/transmission-gluetun-port-update). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMDMuMSIsInVwZGF0ZWRJblZlciI6IjM3LjEwMy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
](https://renovatebot.com){kind=link}
This fixes #743, possibly #739.
Discovered this while tracking down an issue in https://github.com/linode/terraform-provider-linode.
The removed call to sync.Pool.Put is handled by the request body wrapper that puts the buffer back in the pool when the body is closed.