Is there a way to exclude encoding/xml package from being imported when I import echo? #2467
-
|
I'm not directly using the encoding/xml package in my app but I believe echo is importing it because I'm using echo even though I'm not using echo's XML functionalities. Is there a way to tell echo / my app to exclude it from being imported? Why? It looks like the encoding/xml package has a couple of vulnerabilities that still haven't been addressed: https://nvd.nist.gov/vuln/detail/CVE-2020-29509 https://nvd.nist.gov/vuln/detail/CVE-2020-29511 Looking forward to any ideas or workarounds. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
you can not exclude it. You can avoid using codepaths that execute that package.
|
Beta Was this translation helpful? Give feedback.
-
|
If think these CVEs are discussed here golang/go#43168 and disclosure info is here https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/ |
Beta Was this translation helpful? Give feedback.
-
|
I appreciate the links. Looks like nothing significant was done to address the vulnerability. I will just avoid those codepaths as you mentioned in your first reply |
Beta Was this translation helpful? Give feedback.
you can not exclude it. You can avoid using codepaths that execute that package.
These are following
echo.Contextmethods:c.XMLBlob()c.XML()c.XMLPretty()c.Bindwhen your struct you are binding to is usingxml:struct tag