Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The lint tests are failing because of a CVE in github.com/go-resty/resty/v2 used by protondrive #7491

Closed
ncw opened this issue Dec 7, 2023 · 2 comments
Closed

The lint tests are failing because of a CVE in github.com/go-resty/resty/v2 used by protondrive #7491

ncw opened this issue Dec 7, 2023 · 2 comments
Labels
Remote: Proton Drive security Potential security problem

Comments

@ncw
Copy link
Member

ncw commented Dec 7, 2023

The lint tests are failing because of a CVE in github.com/go-resty/resty/v2

This is as described in: https://pkg.go.dev/vuln/GO-2023-2328

This is fine, these things happen, but what doesn't seem to be happening is a fix being generated.

There is a PR open with a fix but it has been open for over a month.

The only code which uses this is the protondrive backend.

So my question to you @henrybear327 is - is it easy to move away from this library if we find out that this isn't going to be fixed in a reasonable time? There is some discussion about alternatives on the PR as we are not the only project affected.

How to use GitHub

  • Please use the 👍 reaction to show that you are affected by the same issue.
  • Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
  • Subscribe to receive notifications on status change and new comments.
@ncw ncw added security Potential security problem Remote: Proton Drive labels Dec 7, 2023
@darthShadow
Copy link
Member

This seems to be fixed in the actual upstream library by using their own fork: ProtonMail/go-proton-api@0ee691e but since we are using a fork of that, it doesn't have that fix.

ncw added a commit that referenced this issue Jan 3, 2024
@ncw
protondrive: fix CVE-2023-45286 / GHSA-xwh9-gc39-5298
08dcc8c 
A race condition in go-resty can result in HTTP request body
disclosure across requests.

See: https://pkg.go.dev/vuln/GO-2023-2328
Fixes: #7491
@ncw
Copy link
Member Author

ncw commented Jan 3, 2024

A fix for this has been issued by upstream and I've made a commit to use it, but the govuln database hasn't been updated yet so the tests are still failing :-(

@ncw ncw closed this as completed in 5fa13e3 Jan 4, 2024
ncw added a commit that referenced this issue Jan 5, 2024
@ncw
protondrive: fix CVE-2023-45286 / GHSA-xwh9-gc39-5298
bff56d0 
A race condition in go-resty can result in HTTP request body
disclosure across requests.

See: https://pkg.go.dev/vuln/GO-2023-2328
Fixes: #7491
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Remote: Proton Drive security Potential security problem
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ncw @darthShadow