-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rename repo name to chaos-tproxy #32
Conversation
Signed-off-by: xixi <i@hexilee.me>
@@ -38,7 +38,7 @@ tracing-subscriber = "0.2" | |||
json-patch = "0.2.6" | |||
async-trait = "0.1.50" | |||
bytes = "1.0.1" | |||
rs-tproxy-proxy = {path = "./rs-tproxy-proxy"} | |||
chaos-tproxy-proxy = {path = "./chaos-tproxy-proxy"} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Critical OSS Vulnerability:
pkg:cargo/chaos-tproxy-proxy@0.1.0
1 Critical, 1 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies
Components
pkg:cargo/hyper@0.14.9
CRITICAL Vulnerabilities (1)
[CVE-2021-32714] hyper is an HTTP library for Rust. In versions prior to 0.14.10, hyper's HTTP se...
hyper is an HTTP library for Rust. In versions prior to 0.14.10, hyper's HTTP server and client code had a flaw that could trigger an integer overflow when decoding chunk sizes that are too big. This allows possible data loss, or if combined with an upstream HTTP proxy that allows chunk sizes larger than hyper does, can result in "request smuggling" or "desync attacks." The vulnerability is patched in version 0.14.10. Two possible workarounds exist. One may reject requests manually that contain a
Transfer-Encoding
header or ensure any upstream proxy rejectsTransfer-Encoding
chunk sizes greater than what fits in 64-bit unsigned integers.CVSS Score: 9.1
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
SEVERE Vulnerabilities (1)
[CVE-2021-32715] hyper is an HTTP library for rust. hyper's HTTP/1 server code had a flaw that in...
hyper is an HTTP library for rust. hyper's HTTP/1 server code had a flaw that incorrectly parses and accepts requests with a
Content-Length
header with a prefixed plus sign, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that doesn't parse suchContent-Length
headers, but forwards them, can result in "request smuggling" or "desync attacks". The flaw exists in all prior versions of hyper prior to 0.14.10, if built withrustc
v1.5.0 or newer. The vulnerability is patched in hyper version 0.14.10. Two workarounds exist: One may reject requests manually that contain a plus sign prefix in theContent-Length
header or ensure any upstream proxy handlesContent-Length
headers with a plus sign prefix.CVSS Score: 5.3
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Signed-off-by: xixi i@hexilee.me
close #22