[🐸 Frogbot] Update version of golang.org/x/net to 0.23.0 #945
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
📦 Vulnerable Dependencies
✍️ Summary
Medium
🔬 Research Details
Description:
The
net/http
package in Go is used for handling HTTP requests and responses.HTTP/2
is a binary protocol where the client and server exchange binary frames instead of text lines as inHTTP/1.x
.HTTP/2
resolves numerous concerns found in HTTP/1.1 by organizing each HTTP message into a series of HTTP/2 frames. These frames include frame type, length, flags, stream identifier (ID), and payload.The
HEADERS
frame type allows sending HTTP headers of, both, request and response. TheHEADERS
frame contains many flags.The
CONTINUATION
frame type is similar to theHEADER
frame, but it has just one flag:END_HEADERS
. When it is not set, the peer knows that more headers are coming in the followingCONTINUATION
frames.This mechanism allows an attacker to send an
HTTP/2
stream withCONTINUATION
frames, without setting theEND_HEADERS
flag in any of the frames. This can cause denial-of-service when sending an excessive number of these crafted frames due to caching all frames in memory.Though the
net/http
package uses HTTP/2 by default, a Golang web server must have HTTPS configured to be vulnerable to exploitation.The
x/net/http2
package is vulnerable by default.Remediation:
Development mitigations
From Golang version 1.6, the
net/http
package is using theHTTP/2
protocol by default when using HTTPS. You can disable HTTP/2 by settingServer.TLSNextProto
(for servers) to a non-nil, empty map.For example:
Alternatively, the following GODEBUG settings are also supported, which disables the HTTP/2 server support:
🐸 JFrog Frogbot