fix(deps): update module github.com/gofiber/fiber/v2 to v2.52.1 [security]

Open renovate[bot] opened this issue 2 years ago • 0 comments

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/gofiber/fiber/v2	`v2.46.0` -> `v2.52.1`

GitHub Vulnerability Alerts

CVE-2023-41338

Impact

This vulnerability can be categorized as a security misconfiguration. It impacts users of our project who rely on the ctx.IsFromLocal() method to restrict access to localhost requests. If exploited, it could allow unauthorized access to resources intended only for localhost.

In it's implementation it uses c.IPs():

// IPs returns a string slice of IP addresses specified in the X-Forwarded-For request header.
// When IP validation is enabled, only valid IPs are returned.
func (c *Ctx) IPs() []string {
    return c.extractIPsFromHeader(HeaderXForwardedFor)
}

Thereby, setting X-Forwarded-For: 127.0.0.1 in a request from a foreign host, will result in true for ctx.IsFromLocal()

Patches

This issue has been patched in v2.49.2 with commit b8c9ede6efa231116c4bd8bb9d5e03eac1cb76dc

Workarounds

Currently, there are no known workarounds to remediate this vulnerability without upgrading to the patched version. We strongly advise users to apply the patch as soon as it is released.

References

For further information and context regarding this security issue, please refer to the following resources:

Mozilla Developer Network - X-Forwarded-For

CVE-2023-45128

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application.

Vulnerability Details

The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. The following issues were identified:

Token Injection: For 'safe' methods, the token was extracted from the cookie and saved to storage without further validation or sanitization.
Lack of Token Association: The CSRF token was validated against tokens in storage but not associated with a session, nor by using a Double Submit Cookie Method, allowing for token reuse.

Specific Go Packages Affected

github.com/gofiber/fiber/v2/middleware/csrf

Remediation

To remediate this vulnerability, it is recommended to take the following actions:

Update the Application: Upgrade the application to a fixed version with a patch for the vulnerability.
Implement Proper CSRF Protection: Review the updated documentation and ensure your application's CSRF protection mechanisms follow best practices.
Choose CSRF Protection Method: Select the appropriate CSRF protection method based on your application's requirements, either the Double Submit Cookie method or the Synchronizer Token Pattern using sessions.
Security Testing: Conduct a thorough security assessment, including penetration testing, to identify and address any other security vulnerabilities.

Defence-in-depth

Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes.

CVE-2023-45141

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions being taken on the user's behalf, potentially compromising the security and integrity of the application.

Vulnerability Details

The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. The following issues were identified:

Lack of Token Association: The CSRF token was validated against tokens in storage but was not tied to the original requestor that generated it, allowing for token reuse.

Remediation

To remediate this vulnerability, it is recommended to take the following actions:

Update the Application: Upgrade the application to a fixed version with a patch for the vulnerability.
Implement Proper CSRF Protection: Review the updated documentation and ensure your application's CSRF protection mechanisms follow best practices.
Choose CSRF Protection Method: Select the appropriate CSRF protection method based on your application's requirements, either the Double Submit Cookie method or the Synchronizer Token Pattern using sessions.
Security Testing: Conduct a thorough security assessment, including penetration testing, to identify and address any other security vulnerabilities.

Defence-in-depth

Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Strict, and the Secure and HttpOnly attributes.

CVE-2024-25124

The CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard ("*") while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices.

Impact

The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references.

Proof of Concept

The code in cors.go allows setting a wildcard in the AllowOrigins while having AllowCredentials set to true, which could lead to various vulnerabilities.

Potential Solution

Here is a potential solution to ensure the CORS configuration is secure:

func New(config ...Config) fiber.Handler {
    if cfg.AllowCredentials && cfg.AllowOrigins == "*" {
        panic("[CORS] Insecure setup, 'AllowCredentials' is set to true, and 'AllowOrigins' is set to a wildcard.")
    }
    // Return new handler goes below
}

The middleware will not allow insecure configurations when using `AllowCredentials` and `AllowOrigins`.

Workarounds

For the meantime, users are advised to manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, browsers and utilities that enforce CORS policies are not affected by this.

References

MDN Web Docs on CORS Errors CodeQL on CORS Misconfiguration PortSwigger on Exploiting CORS Misconfigurations WhatWG CORS protocol and credentials

Release Notes

gofiber/fiber (github.com/gofiber/fiber/v2)

`v2.52.1`

Compare Source

👮 Security

Middleware/cors: Insecure CORS Configuration Allowing Wildcard Origin with Credentials - GHSA-fmg4-x8pw-hjhg

https://docs.gofiber.io/api/middleware/cors

🐛 Fixes

Middleware/healthcheck: Not working with route group(#2863)

📚 Documentation

Fix default value to false in docs of QueryBool (#2811)
Fix code snippet indentation in /docs/api/middleware/keyauth.md (#2867)

Full Changelog: https://github.com/gofiber/fiber/compare/v2.52.0...v2.52.1

Thank you @luk3skyw4lker, @CAEL0, @grivera64, @gaby and @sixcolors for making this update possible.

`v2.52.0`

Compare Source

🚀 New

Middleware/healthcheck: Add liveness and readiness checks (#2509) https://docs.gofiber.io/api/middleware/healthcheck

// Direct usage with default config
app.Use(healthcheck.New())

// Or extend your config for customization
app.Use(healthcheck.New(healthcheck.Config{
    LivenessEndpoint: "/live",
    LivenessProbe: func(c *fiber.Ctx) bool {
        return true
    },
    ReadinessEndpoint: "/ready",
    ReadinessProbe: func(c *fiber.Ctx) bool {
        return serviceA.Ready() && serviceB.Ready() && ...
    },
}))

🧹 Updates

Middlewares: don't constrain middlewares context-keys to strings (#2751)
Middleware/logger: colorize logger error message #2593 (#2773)
Middleware/logger: changing default log output (#2730)
Middleware/logger: log client IP address by default (#2755)
Middleware/encryptcookie: update default config (#2753)
Improve benchmarks for getOffer (#2739)

🛠️ Maintenance

Bump github/codeql-action from 2 to 3 (#2763)
Bump github.com/google/uuid from 1.4.0 to 1.5.0 (#2762)
Bump actions/setup-go from 4 to 5 (#2754)
Bump golang.org/x/sys from 0.14.0 to 0.15.0 (#2744)
Bump github.com/valyala/fasthttp from 1.50.0 to 1.51.0 (#2721)

🐛 Fixes

Middleware/redirect : fix for redirect with query params (#2748)
Middleware/adaptor: Adaptor + otelfiber issue #2641 (#2772)
Middleware/cors: Should use the defined AllowedOriginsFunc config when AllowedOrigins is empty (#2771)
Middleware/session: Race in session middleware tests (#2740)
Middleware/csrf: Fix failing CSRF tests (#2720)
Fix race condition in parallel tests (#2734)
utils.IsIPv4 and net.ParseIP have inconsistent results #2735 (#2736)

📚 Documentation

Middleware/csrf: Improve csrf docs (#2726)
Update app.md for indentation (#2761)
Update default config (#2753)
Update CONTRIBUTING.md (#2752)

Full Changelog: https://github.com/gofiber/fiber/compare/v2.51.0...v2.52.0

Thank you @MehmetFiratKomurcu, @benjajaja, @brunodmartins, @gilwo, @iredmail, @itswcg, @luk3skyw4lker, @muhammadkholidb, @nickajacks1, @sixcolors and @tokelo-12 for making this update possible.

`v2.51.0`

Compare Source

🚀 New

Add support for parameters in content negotiation (#2678) RFC https://docs.gofiber.io/api/ctx#accepts

// Consideration of parameters in the accepted headers
// Accept: text/plain, application/json; version=1; foo=bar

app.Get("/", func(c *fiber.Ctx) error {
  // Extra parameters in the accept are ignored
  c.Accepts("text/plain;format=flowed") // "text/plain;format=flowed"

  // An offer must contain all parameters present in the Accept type
  c.Accepts("application/json") // ""

  // Parameter order and capitalization does not matter. Quotes on values are stripped.
  c.Accepts(`application/json;foo="bar";VERSION=1`) // "application/json;foo="bar";VERSION=1"
})

Add support for application/problem+json (#2704) https://docs.gofiber.io/api/ctx#json https://docs.gofiber.io/api/client#json

// Passing a custom json type
ctx.JSON(fiber.Map{
    "type": "https://example.com/probs/out-of-credit",
    "title": "You do not have enough credit.",
    "status": 403,
    "detail": "Your current balance is 30, but that costs 50.",
    "instance": "/account/12345/msgs/abc",
  }, fiber.)

🧹 Updates

Ctx.Range: reduce allocations (#2705)
Middleware/pprof: improve performance (#2709)

🛠️ Maintenance

Bump golang.org/x/sys from 0.13.0 to 0.14.0 (#2707)
Bump github.com/google/uuid from 1.3.1 to 1.4.0 (#2693)
Bump actions/setup-node from 3 to 4 (#2690)
Bump github.com/mattn/go-isatty from 0.0.19 to 0.0.20 (#2679)

🐛 Fixes

Middleware/limiter: fix intermittent failures (#2716)
Naming of routes works wrong after mount #2688 (#2689)
Fix method validation on route naming (#2686)

📚 Documentation

Changed "Twitter" to "X (Twitter)" in README.md Contribute Section (#2696)
Add additional information as to why GetReqHeaders returns a map where the values are slices of strings (#2698)
Enhance csrf.md (#2692)

Full Changelog: https://github.com/gofiber/fiber/compare/v2.50.0...v2.51.0

Thank you @BandhiyaHardik, @database64128, @efectn, @moritz157, @nickajacks1, @rhburt and @sixcolors for making this update possible.

`v2.50.0`

Compare Source

❗ Breaking Changes

Change signatures of GetReqHeaders and GetRespHeaders (#2650)

To allow single and list values under headers according to the rfc standard

- func (c *Ctx) GetReqHeaders() map[string]string
+ func (c *Ctx) GetReqHeaders() map[string][]string

- func (c *Ctx) GetRespHeaders() map[string]string
+ func (c *Ctx) GetRespHeaders() map[string][]string

👮 Security

Middleware/csrf: Token Vulnerability (GHSA-mv73-f69x-444p, GHSA-94w9-97p3-p368)

https://docs.gofiber.io/api/middleware/csrf

🚀 Improvements to the CSRF middleware:

Added support for single-use tokens through the SingleUseToken configuration option.
Optional integration with GoFiber session middleware through the Session and SessionKey configuration options.
Introduction of origin checks for HTTPS connections to verify referer headers.
Implementation of a Double Submit Cookie approach for CSRF token generation and validation when used without Session.
Enhancement of error handling with more descriptive error messages.
The documentation for the CSRF middleware has been enhanced with the addition of the new options and best practices to improve security.

Thank you @sixcolors

🚀 New

Cookie parser (#2656) https://docs.gofiber.io/api/ctx#cookieparser

// Field names should start with an uppercase letter
type Person struct {
    Name     string  `cookie:"name"`
    Age      int     `cookie:"age"`
    Job      bool    `cookie:"job"`
}
// Example route
app.Get("/", func(c *fiber.Ctx) error {
    p := new(Person)
    // This method is similar to BodyParser, but for cookie parameters
    if err := c.CookieParser(p); err != nil {
        return err
    }
    
    log.Println(p.Name)     // Joseph
    log.Println(p.Age)      // 23
    log.Println(p.Job)      // true
})

Middleware/cors: Allow disabling caching in preflight requests (#2649) https://docs.gofiber.io/api/middleware/cors#config

// To disable caching completely, pass MaxAge value negative. It will set the Access-Control-Max-Age header 0.
app.Use(cors.New(cors.Config{MaxAge: -1}))

Middleware/session: Add Reset method to Session struct in session middleware (#2654) https://docs.gofiber.io/api/middleware/session#signatures

// Provide more flexibility in session management, especially in scenarios like repeated user logins
func (s *Session) Reset() error

Example usage:

// Initialize default config
// This stores all of your app's sessions
store := session.New()

app.Post("/login", func(c *fiber.Ctx) error {
    // Get session from storage
    sess, err := store.Get(c)
    if err != nil {
        panic(err)
    }
    
    // ... validate login ...
    
    // Check if the session is fresh
    if !sess.Fresh() {
        // If the session is not fresh, reset it
        if err := sess.Reset(); err != nil {
            panic(err)
        }
    }
    // Set new session data
    sess.Set("user_id", user.ID)
    // Save session
    if err := sess.Save(); err != nil {
        panic(err)
    }

    return c.SendString(fmt.Sprintf("Welcome %v", user.ID))
})

Middleware/session: Add Delete method to Store struct in session middleware (#2655) https://docs.gofiber.io/api/middleware/session#signatures

// Provide more control over individual session management, especially in scenarios 
// like administrator-enforced user logout or user-initiated logout from a specific device session
func (s *Store) Delete(id string) error

Example usage:

app.Post("/admin/session/:id/logout", func(c *fiber.Ctx) error {
    // Get session id from request
    sessionID := c.Params("id")

    // Delete the session
    if err := store.Delete(sessionID); err != nil {
        return c.Status(500).SendString(err.Error())
    }

    return c.SendString("Logout successful")
})

🧹 Updates

Middleware/filesystem: Improve status for SendFile (#2664)
Middleware/filesystem: Set response code (#2632)
Refactor Ctx.Method func to improve code readability (#2647)

🛠️ Maintenance

Fix loop variable captured by func literal (#2660)
Run gofumpt and goimports (#2662)
Use utils.AssertEqual instead of t.Fatal on some tests (#2653)
Apply go fix ./... with latest version of go in repository (#2661)
Bump github.com/valyala/fasthttp from 1.49.0 to 1.50.0 (#2634)
Bump golang.org/x/sys from 0.12.0 to 0.13.0 (#2665)

🐛 Fixes

Path checking on route naming (#2676)
Incorrect log depth when use log.WithContext (#2666)
Jsonp ignoring custom json encoder (#2658)
PassLocalsToView when bind parameter is nil (#2651)
Parse ips return invalid in abnormal case (#2642)
Bug parse custom header (#2638)
Middleware/adaptor: Reduce memory usage by replacing io.ReadAll() with io.Copy() (#2637)
Middleware/idempotency: Nil pointer dereference issue on idempotency middleware (#2668)

📚 Documentation

Incorrect status code source (#2667)
Middleware/requestid: Typo in requestid.md (#2675)
Middleware/cors: Update docs to better explain AllowOriginsFunc (#2652)

Full Changelog: https://github.com/gofiber/fiber/compare/v2.49.2...v2.50.0

Thank you @KaptinLin, @Skyenought, @cuipeiyu, @dairlair, @efectn, @gaby, @geerew, @huykn, @jimmyl02, @joey1123455, @joshlarsen, @jscappini, @peczenyj and @sixcolors for making this update possible.

`v2.49.2`

Compare Source

🧹 Updates

Middleware/logger: Enabling color changes padding for some fields #2604 (#2616)
Bump actions/checkout from 3 to 4 (#2618)
Bump golang.org/x/sys from 0.11.0 to 0.12.0 (#2617)

🐛 Fixes

Vulnerability in Ctx.IsFromLocal(https://github.com/gofiber/fiber/security/advisories/GHSA-3q5p-3558-364f)

📚 Documentation

Replaced double quotes with backticks in all route parameter strings (#2591)

Full Changelog: https://github.com/gofiber/fiber/compare/v2.49.1...v2.49.2

Thank you @11-aryan and @AKARSHITJOSHI for making this update possible.

`v2.49.1`

Compare Source

🧹 Updates

Bump github.com/valyala/fasthttp from 1.48.0 to 1.49.0 (#2615)

🐛 Fixes

Rollback changes to go.mod file (#2614)

📚 Documentation

Add Polish translation - README_pl.md (#2613)
Update README_ko.md (#2605)

Full Changelog: https://github.com/gofiber/fiber/compare/v2.49.0...v2.49.1

Thank you @KompocikDot, @LimJiAn and @gaby for making this update possible.

`v2.49.0`

Compare Source

❗ Breaking Changes

Add config to enable splitting by comma in parsers (#2560) https://docs.gofiber.io/api/fiber#config

EnableSplittingOnParsers splits the query/body/header parameters by comma when it's true (default: false).

For example, you can use it to parse multiple values from a query parameter like this: /api?foo=bar,baz == foo[]=bar&foo[]=baz

🚀 New

Add custom data property to favicon middleware config (#2579) https://docs.gofiber.io/api/middleware/favicon#config

This allows the user to use //go:embed flags to load favicon data during build-time, and supply it to the middleware instead of reading the file every time the application starts.

🧹 Updates

Middleware/logger: Latency match gin-gonic/gin formatter (#2569)
Middleware/filesystem: Refactor: use errors.Is instead of os.IsNotExist (#2558)
Use Global vars instead of local vars for isLocalHost (#2595)
Remove redundant nil check (#2584)
Bump github.com/mattn/go-runewidth from 0.0.14 to 0.0.15 (#2551)
Bump github.com/google/uuid from 1.3.0 to 1.3.1 (#2592)
Bump golang.org/x/sys from 0.10.0 to 0.11.0 (#2563)
Add go 1.21 to ci and readmes (#2588)

🐛 Fixes

Middleware/logger: Default latency output format (#2580)
Decompress request body when multi Content-Encoding sent on request headers (#2555)

📚 Documentation

Fix wrong JSON docs (#2554)
Update io/ioutil package to io package (#2589)
Replace EG flag with the proper and smaller SVG (#2585)
Added Egyptian Arabic readme file (#2565)
Translate README to Portuguese (#2567)
Improve *fiber.Client section (#2553)
Improved the config section of the middleware readme´s (#2552)
Added documentation about ctx Fresh (#2549)
Update intro.md (#2550)
Fixed link to slim template engine (#2547)

Full Changelog: https://github.com/gofiber/fiber/compare/v2.48.0...v2.49.0

Thank you @Jictyvoo, @Juneezee, @Kirari04, @LimJiAn, @PassTheMayo, @andersonmiranda-com, @bigpreshy, @efectn, @renanbastos93, @scandar, @sixcolors and @stefanb for making this update possible.

`v2.48.0`

Compare Source

🚀 New

Add ability to print custom message on startup (#2491) https://docs.gofiber.io/guide/hooks#onlisten

app := fiber.New(fiber.Config{
  DisableStartupMessage: true,
})

app.Hooks().OnListen(func(listenData fiber.ListenData) error {
  if fiber.IsChild() {
      return nil
  }
  scheme := "http"
  if data.TLS {
    scheme = "https"
  }
  log.Println(scheme + "://" + listenData.Host + ":" + listenData.Port)
  return nil
})

app.Listen(":5000")

Add Logger interface and fiberlog (#2499) https://docs.gofiber.io/api/log

🧹 Updates

Dictpool is not completely gone (#2540)
Bump golang.org/x/sys from 0.9.0 to 0.10.0 (#2530)
Bump github.com/valyala/fasthttp from 1.47.0 to 1.48.0 (#2511)

🐛 Fixes

Middleware/logger: Default logger color behaviour (#2513)

📚 Documentation

Fix link (#2542)
Fix bad documentation on queries function (#2522)
Fix validation-guide (#2517)
Fix bad documentation on queries function (#2522)
Add a warning on security implications when using X-Forwarded-For improperly (#2520)
Fix typo (#2518)
Typo in ctx.md (#2516)
Fix comment in client.go (#2514)
Fix docs api fiber custom config (#2510)

Full Changelog: https://github.com/gofiber/fiber/compare/v2.47.0...v2.48.0

Thank you @ForAeons, @RHeynsZa, @Saman-Safaei, @Skyenought, @Z3NTL3, @andre-dasilva, @cmd777, @dozheiny, @efectn, @f1rstmehul, @gaby, @itcuihao and @mo1ein for making this update possible.

`v2.47.0`

Compare Source

🚀 New

Add queries function (#2475) https://docs.gofiber.io/api/ctx#queries

// GET /api/posts?filters.author.name=John&filters.category.name=Technology

app.Get("/", func(c *fiber.Ctx) error {
    m := c.Queries()
    m["filters.author.name"] // John
    m["filters.category.name"] // Technology
})

Middleware/logger: Add DisableColors to set the default output format (#2493) https://docs.gofiber.io/api/middleware/logger#config

// Disable colors when outputting to default format
app.Use(logger.New(logger.Config{
    DisableColors: true,
}))

🧹 Updates

Update getOffer to consider quality and specificity (#2486)
Use c.app.getString instead of string(...) (#2489)
Bump github.com/mattn/go-isatty from 0.0.18 to 0.0.19 (#2474)
Bump golang.org/x/sys from 0.8.0 to 0.9.0 (#2508)

🐛 Fixes

Middleware/limiter: Fix Sliding Window limiter when SkipSuccessfulRequests/SkipFailedRequests is used. (#2484)
Fix onListen hooks when they are used with prefork mode (#2504)
Fix middleware naming and returned values of group methods (#2477)
Treat case for possible timer memory leak (#2488)
Reset terminal colors after print routes (#2481)

📚 Documentation

Update version of html template (#2505)
Translate README_fa.md (#2496)
Correcting a syntax error in the README (#2473)

Full Changelog: https://github.com/gofiber/fiber/compare/v2.46.0...v2.47.0

Thank you @Kamandlou, @Satont, @Skyenought, @cmd777, @dozheiny, @efectn, @gaby, @kaazedev, @luk3skyw4lker, @obakumen, @sixcolors and @ytsruh for making this update possible.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

Sep 14 '23 22:09 renovate[bot]