Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-2583: fix race condition in httpauth where the incorrect handler could be c… · ntbosscher/gobase@a8d40bc

A race condition can cause incorrect HTTP request routing.

CVE
#git#oauth#auth

@@ -106,6 +106,11 @@ func (c Config) getAccessTokenCookieName() string {

return strs.Coalesce(c.AccessTokenCookieName, “token”)

}

const defaultLoginEndpoint = “/api/auth/login”

const defaultRefreshEndpoint = “/api/auth/refresh”

const defaultLogoutEndpoint = “/api/auth/logout”

const defaultRegisterEndpoint = “/api/auth/register”

func Setup(router *res.Router, config Config) *AuthRouter {

loginPath := strs.Coalesce(config.LoginPath, defaultLoginEndpoint)

router.Post(loginPath, loginHandler(&config))

@@ -134,11 +139,10 @@ func Setup(router *res.Router, config Config) *AuthRouter {

oauth.Setup(router, config.OAuth, sessionSetter)

}

server := middleware(config)

server := newServer(config)

router.Use(func(h http.Handler) http.Handler {

server.next = h

return server

router.Use(func(handler http.Handler) http.Handler {

return cloneServer(server, handler)

})

return &AuthRouter{

@@ -148,7 +152,14 @@ func Setup(router *res.Router, config Config) *AuthRouter {

}

}

func middleware(config Config) *server {

func cloneServer(src *server, next http.Handler) *server {

clone := &server{}

*clone = *src

clone.next = next

return clone

}

func newServer(config Config) *server {

if config.CredentialChecker == nil {

log.Fatal(“github.com/ntbosscher/gobase/auth/authhttp.Middleware(config): config requires CredentialChecker”)

@@ -163,18 +174,13 @@ func middleware(config Config) *server {

}

type server struct {

next http.Handler

next http.Handler

perRequestFilter PerRequestFilter

ignoreRoutesWithPrefixes []string

ignoreRoutes []string

authHandler func(request *res.Request) (res.Responder, context.Context)

}

const defaultLoginEndpoint = “/api/auth/login”

const defaultRefreshEndpoint = “/api/auth/refresh”

const defaultLogoutEndpoint = “/api/auth/logout”

const defaultRegisterEndpoint = “/api/auth/register”

func (s *server) ServeHTTP(w http.ResponseWriter, r *http.Request) {

ignoredRoute := false

Related news

GHSA-4348-x292-h437: GoBase Race Condition vulnerability

A race condition can cause incorrect HTTP request routing.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907