Multiple security alerts were identified by CodeQL:
- Insecure HostKeyCallback (CWE-322): The SFTP implementation was using
ssh.InsecureIgnoreHostKey(), which makes connections vulnerable to Man-in-the-Middle (MitM) attacks.
- Allocation Size Overflow (CWE-190): The
pkg/crypto package lacked a check on plaintext length before buffer allocation, potentially leading to integer overflows or panics with extremely large inputs.
These issues are addressed in PR #161 by implementing a secure default known_hosts check for SFTP and adding a length guard in the crypto package.
Multiple security alerts were identified by CodeQL:
ssh.InsecureIgnoreHostKey(), which makes connections vulnerable to Man-in-the-Middle (MitM) attacks.pkg/cryptopackage lacked a check on plaintext length before buffer allocation, potentially leading to integer overflows or panics with extremely large inputs.These issues are addressed in PR #161 by implementing a secure default
known_hostscheck for SFTP and adding a length guard in the crypto package.