go-admin代码不规范和漏洞问题待确认
gavin360 opened this issue · 1 comments
Reproduction link
https://vue2.go-admin.dev/#/login
Steps to reproduce
1.漏洞扫描
2.使用工具gosec和govulncheck(go官方提供)
What is expected?
1、漏洞修复
2、如果不能修复,说明原因
What is actually happening?
Govulncheck针对go-admin检出的漏洞
Using go1.19 and govulncheck@v0.0.0 with
vulnerability data from https://vuln.go.dev (last modified 16 Feb 23 00:01 UTC).
Scanning your code and 474 packages across 109 dependent modules for known vulnerabilities...
Your code is affected by 6 vulnerabilities from 1 module and the Go standard library.
Vulnerability #1: GO-2022-1144
An attacker can cause excessive memory growth in a Go server
accepting HTTP/2 requests. HTTP/2 server connections contain a
cache of HTTP header keys sent by the client. While the total
number of entries in this cache is capped, an attacker sending
very large keys can cause the server to allocate approximately
64 MiB per open connection.
More info: https://pkg.go.dev/vuln/GO-2022-1144
Standard library
Found in: net/http@go1.19
Fixed in: net/http@go1.19.4
Call stacks in your code:
cmd/api/server.go:117:2: go-admin/cmd/api.run calls net/http.Server.ListenAndServe
cmd/api/server.go:117:2: go-admin/cmd/api.run calls net/http.Server.ListenAndServeTLS
| Environment | Info |
|---|---|
| go-admin | 2.0.12 |
| Go | go |
| System | Mac |
| Browser | chrome 110.0.5481.100 |
go-admin 目前支持到1.18.2的版本,1.19及更高版本还未升级。欢迎pr