Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security: Don't put the same bytes.Buffer into sync.Pool twice #745

Merged
merged 1 commit into from
Dec 27, 2023

Conversation

lattwood
Copy link
Contributor

@lattwood lattwood commented Nov 2, 2023

This fixes #743, possibly #739.

Discovered this while tracking down an issue in https://github.com/linode/terraform-provider-linode.

The removed call to sync.Pool.Put is handled by the request body wrapper that puts the buffer back in the pool when the body is closed.

@lattwood
Copy link
Contributor Author

lattwood commented Nov 4, 2023

This closes #739 as well.

Now that I’m thinking about it, this is a security issue, as it’s disclosing a HTTP body to an unrelated endpoints/servers.

@lattwood lattwood changed the title Don't put the same bytes.Buffer into sync.Pool twice Security: Don't put the same bytes.Buffer into sync.Pool twice Nov 4, 2023
@jeromedoucet jeromedoucet mentioned this pull request Nov 28, 2023
@reedloden
Copy link

@jeevatkm Able to take a look here when you have a moment?

@jxsl13
Copy link

jxsl13 commented Dec 1, 2023

@jeevatkm pls merge

@safaci2000
Copy link

Any updates on this ticket?

@lattwood
Copy link
Contributor Author

lattwood commented Dec 6, 2023

Your best bet is going to be forking this, or moving to a different library, based on how long this issue has been open.

@niksteff
Copy link

niksteff commented Dec 7, 2023

Yeah we are moving. Not only is the CVE a big problem, after the update to 2.10 we experienced fun bugs where the json request body of a previous or the same request (could not tell) was copied in the host part of the request URL. This occurred when multiple request were running concurrently and we changed nothing but the resty upgrade. Was fine for two years. I cannot prove it as I could not recreate the bug but a downgrade to 2.9.1 immediately solved the problem.

It could be a side effect of this buffer problem but as i cannot prove it i won't open a new thread. Just wanted to state it if somebody else experiences something different and has more time at hands to test it through.

Here is an example log from our kibana:

2023/11/28 13:51:16.736214 WARN RESTY parse "{"some very large json request body here"}/oms/customer/v3/users/2133478": first path segment in URL cannot contain colon, Attempt 1

Because of the WARN RESTY you can see the warning is logged from the resty code base as this log is hard coded there.

Here is my example gist where i could not recreate the problem and my time budget was done: https://gist.github.com/niksteff/2fd29672a24372782627d99ba2016031

@Coronon
Copy link

Coronon commented Dec 17, 2023

For everyone that needs a quick fix without downgrading to v2.9.1:

replace github.com/go-resty/resty/v2 => github.com/lattwood/resty/v2 v2.0.0-20231102200459-74e9e135ae0c

Put the above line into your go.mod file to override the resty code with this PR.

@vithubati
Copy link

vithubati commented Dec 26, 2023

Any timeline as to when this PR will be merged?

@jeevatkm
Copy link
Member

@lattwood and members on the PR - Thanks for reaching out. I have been traveling on vacation days and will return from vacation in the first week of January.
I'm sorry for not checking my emails and notifications properly these days.

Let me merge this PR and make a release.

Copy link
Member

@jeevatkm jeevatkm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lattwood Thank you for the PR, appreciated.

Copy link

codecov bot commented Dec 27, 2023

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (105f718) 96.51% compared to head (74e9e13) 96.51%.

Additional details and impacted files
@@            Coverage Diff             @@
##               v2     #745      +/-   ##
==========================================
- Coverage   96.51%   96.51%   -0.01%     
==========================================
  Files          12       12              
  Lines        1637     1636       -1     
==========================================
- Hits         1580     1579       -1     
  Misses         36       36              
  Partials       21       21              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@jeevatkm jeevatkm merged commit 577fed8 into go-resty:v2 Dec 27, 2023
3 checks passed
@jeevatkm jeevatkm added this to the v2.11.0 Milestone milestone Dec 27, 2023
Michsior14 referenced this pull request in Michsior14/transmission-gluetun-port-update Dec 30, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [github.com/go-resty/resty/v2](https://togithub.com/go-resty/resty) |
`v2.10.0` -> `v2.11.0` |
[![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fgo-resty%2fresty%2fv2/v2.11.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2fgo-resty%2fresty%2fv2/v2.11.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2fgo-resty%2fresty%2fv2/v2.10.0/v2.11.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fgo-resty%2fresty%2fv2/v2.10.0/v2.11.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

### Release Notes

<details>
<summary>go-resty/resty (github.com/go-resty/resty/v2)</summary>

###
[`v2.11.0`](https://togithub.com/go-resty/resty/releases/tag/v2.11.0):
Release

[Compare
Source](https://togithub.com/go-resty/resty/compare/v2.10.0...v2.11.0)

### Release Notes

#### Bug Fixes

- Security: Don't put the same bytes.Buffer into sync.Pool twice by
[@&#8203;lattwood](https://togithub.com/lattwood) in
[https://github.com/go-resty/resty/pull/745](https://togithub.com/go-resty/resty/pull/745),
[#&#8203;764](https://togithub.com/go-resty/resty/issues/764),
[#&#8203;756](https://togithub.com/go-resty/resty/issues/756)
- fix: Improve Digest WWW-Authenticate response header parsing
compatibility by [@&#8203;bearki](https://togithub.com/bearki) in
[https://github.com/go-resty/resty/pull/735](https://togithub.com/go-resty/resty/pull/735)

#### New Contributors

- [@&#8203;lattwood](https://togithub.com/lattwood) made their first
contribution in
[https://github.com/go-resty/resty/pull/745](https://togithub.com/go-resty/resty/pull/745)
- [@&#8203;bearki](https://togithub.com/bearki) made their first
contribution in
[https://github.com/go-resty/resty/pull/735](https://togithub.com/go-resty/resty/pull/735)

**Full Changelog**:
go-resty/resty@v2.10.0...v2.11.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/Michsior14/transmission-gluetun-port-update).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMDMuMSIsInVwZGF0ZWRJblZlciI6IjM3LjEwMy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

Request body is written multiple times
8 participants