labstack/echo dependency is vulnerable

Question

labstack/echo dependency is vulnerable

benjaminclauss opened this issue a year ago · comments

❯ go mod why -m github.com/labstack/echo
# github.com/labstack/echo
...
github.com/UnnoTed/fileb0x
github.com/labstack/echo

Warning:(178, 2)  Dependency go:github.com/labstack/echo:v3.2.1+incompatible is vulnerable, safe version v3.3.6+incompatible CVE-2022-40083 9.6 URL Redirection to Untrusted Site ('Open Redirect') vulnerability with high severity found   Results powered by Checkmarx(c)

GHSA-crxj-hrmp-4rwf

UnnoTed · Answer 1 · Thu Apr 06 2023 05:03:14 GMT+0800 (China Standard Time)

Fix open redirect vulnerability in handlers serving static directories (e.Static, e.StaticFs, echo.StaticDirectoryHandler)

None of those are used in fileb0x because when the Updater option is enabled (which makes use of echo) it creates a GET endpoint "/" that requires a basic auth to access and serves a list of file names and sha256 hash.

https://github.com/UnnoTed/fileb0x/blob/master/template/files.go#L293

Quote from the README section "Update files remotely":

How it works?
By enabling the updater option, the next time that you generate a b0x, it will include a http server, this http server will use a http basic auth and it contains 1 endpoint / that accepts 2 methods: GET, POST.

The GET method responds with a list of file names and sha256 hash of each file. The POST method is used to upload files, it creates the directory tree of a new file and then creates the file or it updates an existing file from the virtual memory file system... it responds with a ok string when the upload is successful.