mikeee / demo_gin-csrf Goto Github PK
View Code? Open in Web Editor NEWQuick test of an example for a gin middleware that helps prevent csrf attacks
License: MIT License
demo_gin-csrf's People
Contributors
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "mend-bolt-for-github[bot]")
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "renovate[bot]")
Stargazers
Watchers
demo_gin-csrf's Issues
Dependency Dashboard
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
This repository currently has no open or pending branches.
Detected dependencies
github-actions
.github/workflows/go.yml
actions/checkout v4@b4ffde65f46336ab88eb53be808477a3936bae11actions/setup-go v4
gomod
go.mod
go 1.19github.com/gin-contrib/sessions v0.0.5github.com/gin-gonic/gin v1.9.1github.com/stretchr/testify v1.8.4github.com/utrack/gin-csrf v0.0.0-20190424104817-40fb8d2c8fca@40fb8d2c8fca
- Check this box to trigger a request for Renovate to run again on this repository
github.com/gin-gonic/gIn-v1.9.0: 1 vulnerabilities (highest severity is: 7.5) - autoclosed
Vulnerable Library - github.com/gin-gonic/gIn-v1.9.0
Library home page: https://proxy.golang.org/github.com/gin-gonic/gin/@v/v1.9.0.zip
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (github.com/gin-gonic/gIn-v1.9.0 version) | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2023-29401 |  High |
7.5 | github.com/gin-gonic/gIn-v1.9.0 | Direct | N/A | โ |
Details
CVE-2023-29401
Vulnerable Library - github.com/gin-gonic/gIn-v1.9.0
Library home page: https://proxy.golang.org/github.com/gin-gonic/gin/@v/v1.9.0.zip
Dependency Hierarchy:
- โ github.com/gin-gonic/gIn-v1.9.0 (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In Gin Web Framework the filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat";x=.txt" will be sent as a file named "setup.bat". If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.
Publish Date: 2023-04-05
URL: CVE-2023-29401
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Step up your Open Source Security Game with Mend here
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.