mikeee / gin-limits Goto Github PK
View Code? Open in Web Editor NEWGin framework middleware that implements basic connection throttling
License: MIT License
Gin framework middleware that implements basic connection throttling
License: MIT License
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
.github/workflows/go.yaml
actions/checkout v4
actions/setup-go v5
codecov/codecov-action v4
go.mod
go 1.19
github.com/gin-gonic/gin v1.9.1
github.com/stretchr/testify v1.9.0
Library home page: https://proxy.golang.org/github.com/gin-gonic/gin/@v/v1.9.0.zip
CVE | Severity | CVSS | Dependency | Type | Fixed in (github.com/gin-gonic/gIn-v1.9.0 version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2023-29401 | High | 7.5 | github.com/gin-gonic/gIn-v1.9.0 | Direct | N/A | ❌ |
Library home page: https://proxy.golang.org/github.com/gin-gonic/gin/@v/v1.9.0.zip
Dependency Hierarchy:
Found in base branch: main
In Gin Web Framework the filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat";x=.txt" will be sent as a file named "setup.bat". If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.
Publish Date: 2023-04-05
URL: CVE-2023-29401
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Found in HEAD commit: 7df6446da5cb7099c6f3d042fa4be81eccf38efb
CVE | Severity | CVSS | Dependency | Type | Fixed in (github.com/gin-GONIC/GIN-v1.9.1 version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-39325 | High | 7.5 | golang.org/x/net-v0.10.0 | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.10.0.zip
Dependency Hierarchy:
Found in HEAD commit: 7df6446da5cb7099c6f3d042fa4be81eccf38efb
Found in base branch: main
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
Publish Date: 2023-10-11
URL: CVE-2023-39325
Base Score Metrics:
Type: Upgrade version
Origin: https://pkg.go.dev/vuln/GO-2023-2102
Release Date: 2023-10-11
Fix Resolution: go1.20.10, go1.21.3, golang.org/x/net - v0.17.0
Step up your Open Source Security Game with Mend here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.