Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] (CWE-88): Potential HTTP request made with variable url #138

Open
leecalcote opened this issue Dec 30, 2021 · 3 comments
Open

[Security] (CWE-88): Potential HTTP request made with variable url #138

leecalcote opened this issue Dec 30, 2021 · 3 comments
Labels
kind/chore Necessary task language/go Golang related security

Comments

@leecalcote
Copy link
Member

Current Behavior

This golang security check is failing - https://github.com/meshery/meshery-traefik-mesh/runs/4581108903?check_suite_focus=true with the following details:

[/github/workspace/internal/config/releases.go:70] - G107 (CWE-88): Potential HTTP request made with variable url (Confidence: MEDIUM, Severity: MEDIUM)
    69: 	// #nosec`
  > 70: 	resp, err := http.Get(releaseAPIURL)
    71: 	if err != nil {

Contributor Guides and Resources
@leecalcote leecalcote added kind/chore Necessary task language/go Golang related labels Dec 30, 2021
@alphaX86 alphaX86 mentioned this issue Jan 1, 2022
Closed
1 task
@alphaX86
Copy link
Member

@leecalcote for this adapter, I see that the function fetches a "list" of latest releases... I also referred the Meshkit's code which has a similar function but for only one latest version fetch. So, shall I use it? Or fetching a list is intended for this mesh adapter?

@leecalcote
Copy link
Member Author

@Revolyssup, do you have a perspective here?

@saurabh100ni saurabh100ni added issue/stale Issue has not had any activity for an extended period of time and removed issue/stale Issue has not had any activity for an extended period of time labels Nov 9, 2023
@saurabh100ni
Copy link

This issue has been open for some time with no recent activity, unassigning to open it up for new contributors to give it a go.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/chore Necessary task language/go Golang related security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Security] Make release URL as constant type (fix CWE-88) alphaX86/meshery-traefik-mesh
3 participants
@leecalcote @alphaX86 @saurabh100ni