Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update module github.com/gofiber/fiber/v2 to v2.50.0 [security] #36

Merged
merged 1 commit into from
Oct 23, 2023
Merged

fix(deps): update module github.com/gofiber/fiber/v2 to v2.50.0 [security] #36

merged 1 commit into from
Oct 23, 2023

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 17, 2023
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Type Update Change
github.com/gofiber/fiber/v2 require minor v2.49.2 -> v2.50.0

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2023-45128

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application.

Vulnerability Details

The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. The following issues were identified:

  1. Token Injection: For 'safe' methods, the token was extracted from the cookie and saved to storage without further validation or sanitization.

  2. Lack of Token Association: The CSRF token was validated against tokens in storage but not associated with a session, nor by using a Double Submit Cookie Method, allowing for token reuse.

Specific Go Packages Affected

github.com/gofiber/fiber/v2/middleware/csrf

Remediation

To remediate this vulnerability, it is recommended to take the following actions:

  1. Update the Application: Upgrade the application to a fixed version with a patch for the vulnerability.

  2. Implement Proper CSRF Protection: Review the updated documentation and ensure your application's CSRF protection mechanisms follow best practices.

  3. Choose CSRF Protection Method: Select the appropriate CSRF protection method based on your application's requirements, either the Double Submit Cookie method or the Synchronizer Token Pattern using sessions.

  4. Security Testing: Conduct a thorough security assessment, including penetration testing, to identify and address any other security vulnerabilities.

Defence-in-depth

Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes.

CVE-2023-45141

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions being taken on the user's behalf, potentially compromising the security and integrity of the application.

Vulnerability Details

The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. The following issues were identified:

  1. Lack of Token Association: The CSRF token was validated against tokens in storage but was not tied to the original requestor that generated it, allowing for token reuse.

Specific Go Packages Affected

github.com/gofiber/fiber/v2/middleware/csrf

Remediation

To remediate this vulnerability, it is recommended to take the following actions:

  1. Update the Application: Upgrade the application to a fixed version with a patch for the vulnerability.

  2. Implement Proper CSRF Protection: Review the updated documentation and ensure your application's CSRF protection mechanisms follow best practices.

  3. Choose CSRF Protection Method: Select the appropriate CSRF protection method based on your application's requirements, either the Double Submit Cookie method or the Synchronizer Token Pattern using sessions.

  4. Security Testing: Conduct a thorough security assessment, including penetration testing, to identify and address any other security vulnerabilities.

Defence-in-depth

Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes.

Release Notes

gofiber/fiber (github.com/gofiber/fiber/v2)

v2.50.0

Compare Source

❗ Breaking Changes

  • Change signatures of GetReqHeaders and GetRespHeaders (#​2650)

To allow single and list values under headers according to the rfc standard

- func (c *Ctx) GetReqHeaders() map[string]string
+ func (c *Ctx) GetReqHeaders() map[string][]string
- func (c *Ctx) GetRespHeaders() map[string]string
+ func (c *Ctx) GetRespHeaders() map[string][]string

🚀 New

// Field names should start with an uppercase letter
type Person struct {
    Name     string  `cookie:"name"`
    Age      int     `cookie:"age"`
    Job      bool    `cookie:"job"`
}
// Example route
app.Get("/", func(c *fiber.Ctx) error {
    p := new(Person)
    // This method is similar to BodyParser, but for cookie parameters
    if err := c.CookieParser(p); err != nil {
        return err
    }
    
    log.Println(p.Name)     // Joseph
    log.Println(p.Age)      // 23
    log.Println(p.Job)      // true
})
// To disable caching completely, pass MaxAge value negative. It will set the Access-Control-Max-Age header 0.
app.Use(cors.New(cors.Config{MaxAge: -1})) 
// Provide more flexibility in session management, especially in scenarios like repeated user logins
func (s *Session) Reset() error

Example usage:

// Initialize default config
// This stores all of your app's sessions
store := session.New()

app.Post("/login", func(c *fiber.Ctx) error {
    // Get session from storage
    sess, err := store.Get(c)
    if err != nil {
        panic(err)
    }
    
    // ... validate login ...
    
    // Check if the session is fresh
    if !sess.Fresh() {
        // If the session is not fresh, reset it
        if err := sess.Reset(); err != nil {
            panic(err)
        }
    }
    // Set new session data
    sess.Set("user_id", user.ID)
    // Save session
    if err := sess.Save(); err != nil {
        panic(err)
    }

    return c.SendString(fmt.Sprintf("Welcome %v", user.ID))
})
// Provide more control over individual session management, especially in scenarios 
// like administrator-enforced user logout or user-initiated logout from a specific device session
func (s *Store) Delete(id string) error

Example usage:

app.Post("/admin/session/:id/logout", func(c *fiber.Ctx) error {
    // Get session id from request
    sessionID := c.Params("id")

    // Delete the session
    if err := store.Delete(sessionID); err != nil {
        return c.Status(500).SendString(err.Error())
    }

    return c.SendString("Logout successful")
})

🧹 Updates

  • Middleware/filesystem: Improve status for SendFile (#​2664)
  • Middleware/filesystem: Set response code (#​2632)
  • Refactor Ctx.Method func to improve code readability (#​2647)

🛠️ Maintenance

  • Fix loop variable captured by func literal (#​2660)
  • Run gofumpt and goimports (#​2662)
  • Use utils.AssertEqual instead of t.Fatal on some tests (#​2653)
  • Apply go fix ./... with latest version of go in repository (#​2661)
  • Bump github.com/valyala/fasthttp from 1.49.0 to 1.50.0 (#​2634)
  • Bump golang.org/x/sys from 0.12.0 to 0.13.0 (#​2665)

🐛 Fixes

  • Path checking on route naming (#​2676)
  • Incorrect log depth when use log.WithContext (#​2666)
  • Jsonp ignoring custom json encoder (#​2658)
  • PassLocalsToView when bind parameter is nil (#​2651)
  • Parse ips return invalid in abnormal case (#​2642)
  • Bug parse custom header (#​2638)
  • Middleware/adaptor: Reduce memory usage by replacing io.ReadAll() with io.Copy() (#​2637)
  • Middleware/idempotency: Nil pointer dereference issue on idempotency middleware (#​2668)
  • Middleware/csrf: Token Vulnerability (GHSA-mv73-f69x-444p, GHSA-94w9-97p3-p368)

📚 Documentation

  • Incorrect status code source (#​2667)
  • Middleware/requestid: Typo in requestid.md (#​2675)
  • Middleware/cors: Update docs to better explain AllowOriginsFunc (#​2652)

Full Changelog: gofiber/fiber@v2.49.2...v2.50.0

Thank you @​KaptinLin, @​Skyenought, @​cuipeiyu, @​dairlair, @​efectn, @​gaby, @​geerew, @​huykn, @​jimmyl02, @​joey1123455, @​joshlarsen, @​jscappini, @​peczenyj and @​sixcolors for making this update possible.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@TheDevMinerTV TheDevMinerTV merged commit 1c87ea5 into main Oct 23, 2023
4 checks passed
@renovate renovate bot deleted the renovate/go-github.com/gofiber/fiber/v2-vulnerability branch October 23, 2023 08:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@TheDevMinerTV