8000
chore(deps): update dependency zitadel/zitadel to v3.2.0 by uniget-bot · Pull Request #12493 · uniget-org/tools · GitHub
More Web Proxy on the site http://driver.im/
8000
You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gorilla/csrf is vulnerable to CSRF via form submission from origins that share a top level domain with the target origin.
Details
gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests only when it believes the request is being served over TLS. It determines this by inspecting the r.URL.Scheme value. However, this value is never populated for "server" requests per the Go spec, and so this check does not run in practice.
// URL specifies either the URI being requested (for server
// requests) or the URL to access (for client requests).
//
// For server requests, the URL is parsed from the URI
// supplied on the Request-Line as stored in RequestURI. For
// most requests, fields other than Path and RawQuery will be
// empty. (See [RFC 7230, Section 5.3](https://rfc-editor.org/rfc/rfc7230.html#section-5.3))
//
// For client requests, the URL's Host specifies the server to
// connect to, while the Request's Host field optionally
// specifies the Host header value to send in the HTTP
// request.
URL *[url](https://pkg.go.dev/net/url).[URL](https://pkg.go.dev/net/url#URL)
PoC
create trusted origin target.example.test protected with gorilla/csrf and served over TLS hosting form on /submit
create attacker origin attack.example.test served over TLS
attacker exfiltrates token & cookie combination from target.example.test
attacker sets exfiltrated cookie with domain=.example.test and path=/submit
as the cookie has a more specific path than / (the default for CSRF cookies) it will be sent first by the browser on submit to our target origin
submit form from attack.example.test with exfiltrated CSRF form token
observe valid form submission as attack.example.test Origin / Referer headers are not validated.
Impact
This vulnerability allows an attacker who has gained XSS on a subdomain or top level domain to perform authenticated form submissions against gorilla/csrf protected targets that share the same top level domain.
This bug has existed in gorilla/csrf since its initial release in 2015.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.1.0->3.2.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
zitadel/zitadel (zitadel/zitadel)
v3.2.0Compare Source
Features
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.