logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-5gjg-jgh4-gppm github.com/ecnepsnai/web

Package

Manager: go
Name: github.com/ecnepsnai/web
Vulnerable Version: >=1.4.0 <1.5.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Websocket requests did not call AuthenticateMethod ### Impact Depending on implementation, a denial-of-service or privilege escalation vulnerability may occur in software that uses the `github.com/ecnepsnai/web` package with Web Sockets that have an AuthenticateMethod. The `AuthenticateMethod` is not called, and `UserData` will be nil in request methods. Attempts to read the `UserData` may result in a panic. This issue only affects web sockets where an `AuthenticateMethod` is supplied to the handle options. Users who do not use web sockets, or users who do not require authentication are not at risk. #### Example In the example below, one would expect that the `AuthenticateMethod` function would be called for each request to `/example` ```go handleOptions := web.HandleOptions{ AuthenticateMethod: func(request *http.Request) interface{} { // Assume there is logic here to check for an active sessions, look at cookies or headers, etc... var session Session{} // Example return session }, } server.Socket("/example", handle, handleOptions) ``` However, the method is not called, and therefor the `UserData` parameter of the request object in the handle will be nil, when it would have been expected to be the `session` object we returned. ### Patches Release v1.5.2 fixes this vulnerability. The authenticate method is now called for websocket requests. All users of the web package should update to v1.5.2 or later. ### Workarounds You may work around this issue by making the authenticate method a named function, then calling that function at the start of the handle method for the websocket. Reject connections when the return value of the method is nil.

Metadata

Created: 2021-06-23T17:26:30Z
Modified: 2021-10-05T16:37:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-5gjg-jgh4-gppm/GHSA-5gjg-jgh4-gppm.json
CWE IDs: ["CWE-304"]
Alternative ID: N/A
Finding: F006
Auto approve: 1