Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability CWE-113 agreementbot/api.go:325 #4208

Closed
omordyk opened this issue Dec 16, 2024 · 0 comments · Fixed by #4210
Closed

Vulnerability CWE-113 agreementbot/api.go:325 #4208

omordyk opened this issue Dec 16, 2024 · 0 comments · Fixed by #4210
Assignees
@omordyk
Labels
security

Comments

@omordyk
Copy link
Contributor

omordyk commented Dec 16, 2024
edited
Loading

Vulnerability CWE-113 agreementbot/api.go:325
http://cwe.mitre.org/data/definitions/113.html

Pr: #4210

Description:
Software places user-controlled input in HTTP headers. An attacker could inject line separators (CR/LF sequences) that could split the response message generated by the software into two messages. The second response is completely under the control of the attacker (intermediate web proxies may cache it), with could produce multiple conditions (web defacement, cache poisoning, cross-site scripting or page hijacking, see CWE-113 for full details). If software needs to generate HTTP headers depending on user-controlled input, such input should be properly neutralized (a white-list validation excluding CR/LF is recommended). Please note that cookies are received and sent in 'Cookie' header in HTTP messages, so if the software generates a Cookie from user input, the input should be properly validated as well.

agreementbot/api.go:325
w.Header().Add("Access-Control-Allow-Origin", r.Header.Get("Origin"))

@omordyk omordyk self-assigned this Dec 16, 2024
omordyk added a commit that referenced this issue Dec 16, 2024
@omordyk
Issue #4208 - Fix vulnerability CWE-113
8fca536 
Signed-off-by: Oleksandr Mordyk <[email protected]>
@omordyk omordyk mentioned this issue Dec 16, 2024
Merged
12 tasks
@omordyk omordyk linked a pull request Dec 16, 2024 that will close this issue
Fix vulnerabilities CWE-113 (issue #4208 issue #4209) #4210
Merged
12 tasks
omordyk added a commit that referenced this issue Jan 9, 2025
@omordyk
Issue #4208 - Fix vulnerability CWE-113
7a71a58 
Signed-off-by: Oleksandr Mordyk <[email protected]>
omordyk added a commit that referenced this issue Jan 9, 2025
@omordyk
Issue #4208 - Fix vulnerability CWE-113
c2f60bd 
Signed-off-by: Oleksandr Mordyk <[email protected]>
omordyk added a commit that referenced this issue Jan 9, 2025
@omordyk
Merge pull request #4210 from open-horizon/security_4208_4209
3163bff 
Fix vulnerabilities CWE-113 (issue #4208 issue #4209)
LiilyZhang pushed a commit to LiilyZhang/anax that referenced this issue Jan 9, 2025
@omordyk @LiilyZhang
Issue open-horizon#4208 - Fix vulnerability CWE-113
4e2951c 
Signed-off-by: Oleksandr Mordyk <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@omordyk omordyk

Labels
security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix vulnerabilities CWE-113 (issue #4208 issue #4209) open-horizon/anax
1 participant
@omordyk