Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rename repo name to chaos-tproxy #32

Merged
merged 2 commits into from
Feb 11, 2022
Merged

rename repo name to chaos-tproxy #32

merged 2 commits into from
Feb 11, 2022

Conversation

Hexilee
Copy link
Member

@Hexilee Hexilee commented Jan 19, 2022

Signed-off-by: xixi i@hexilee.me

close #22

@Hexilee
rename repo name to chaos-tproxy
5d9b5c2 
Signed-off-by: xixi <i@hexilee.me>
@Hexilee
fix lint
173ce9b 
Signed-off-by: xixi <i@hexilee.me>
sonatype-lift[bot]
sonatype-lift bot reviewed Jan 19, 2022
View reviewed changes
Cargo.toml
@@ -38,7 +38,7 @@ tracing-subscriber = "0.2"
json-patch = "0.2.6"
async-trait = "0.1.50"
bytes = "1.0.1"
rs-tproxy-proxy = {path = "./rs-tproxy-proxy"}
chaos-tproxy-proxy = {path = "./chaos-tproxy-proxy"}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical OSS Vulnerability:

pkg:cargo/chaos-tproxy-proxy@0.1.0

1 Critical, 1 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies

Components
    pkg:cargo/hyper@0.14.9
      CRITICAL Vulnerabilities (1)

        [CVE-2021-32714] hyper is an HTTP library for Rust. In versions prior to 0.14.10, hyper's HTTP se...

        hyper is an HTTP library for Rust. In versions prior to 0.14.10, hyper's HTTP server and client code had a flaw that could trigger an integer overflow when decoding chunk sizes that are too big. This allows possible data loss, or if combined with an upstream HTTP proxy that allows chunk sizes larger than hyper does, can result in "request smuggling" or "desync attacks." The vulnerability is patched in version 0.14.10. Two possible workarounds exist. One may reject requests manually that contain a Transfer-Encoding header or ensure any upstream proxy rejects Transfer-Encoding chunk sizes greater than what fits in 64-bit unsigned integers.

        CVSS Score: 9.1

        CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

      SEVERE Vulnerabilities (1)

        [CVE-2021-32715] hyper is an HTTP library for rust. hyper's HTTP/1 server code had a flaw that in...

        hyper is an HTTP library for rust. hyper's HTTP/1 server code had a flaw that incorrectly parses and accepts requests with a Content-Length header with a prefixed plus sign, when it should have been rejected as illegal. This combined with an upstream HTTP proxy that doesn't parse such Content-Length headers, but forwards them, can result in "request smuggling" or "desync attacks". The flaw exists in all prior versions of hyper prior to 0.14.10, if built with rustc v1.5.0 or newer. The vulnerability is patched in hyper version 0.14.10. Two workarounds exist: One may reject requests manually that contain a plus sign prefix in the Content-Length header or ensure any upstream proxy handles Content-Length headers with a plus sign prefix.

        CVSS Score: 5.3

        CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

(at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with `help` or `ignore`)

Andrewmatilde
Andrewmatilde approved these changes Feb 9, 2022
View reviewed changes
Copy link
Member

@Andrewmatilde Andrewmatilde left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Hexilee Hexilee merged commit f279d67 into master Feb 11, 2022
This was referenced Mar 2, 2022
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sonatype-lift sonatype-lift[bot] sonatype-lift left review comments

@Andrewmatilde Andrewmatilde Andrewmatilde approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

rename repository to chaos-tproxy
2 participants
@Hexilee @Andrewmatilde