Fixed CVE-2021-3538 related to the non-default uuid4 `request_id_fo…

…rmat` option (#611) * Fixed CVE-2021-3538 related to the non-default `uuid4` `request_id_format` option * add PR link to changelog
coupergateway · Oct 26, 2022 · 9bcac71 · 9bcac71
1 parent b94e51f
commit 9bcac71
Show file tree

Hide file tree

Showing 31 changed files with 1,162 additions and 799 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,9 +4,12 @@
 
 Unreleased changes are available as `avenga/couper:edge` container.
 
+* **Fixed**
+  * CVE-2021-3538 related to our `request_id_format` option if switched to `uuid4`: replaced the underlying package to `github.com/google/uuid` ([#611](https://github.com/avenga/couper/pull/611))
+
 ---
 
-## [1.10.0](https://github.com/avenga/couper/releases/tag/v1.10.1)
+## [1.10.1](https://github.com/avenga/couper/releases/tag/v1.10.1)
 
 * **Fixed**
   * [endpoint `/**` path wildcards](https://docs.couper.io/configuration/block/endpoint) sometimes not matching ([#603](https://github.com/avenga/couper/pull/603))

diff --git a/go.mod b/go.mod
@@ -19,7 +19,6 @@ require (
 	github.com/rs/xid v1.3.0
 	github.com/russellhaering/gosaml2 v0.7.0
 	github.com/russellhaering/goxmldsig v1.2.0
-	github.com/satori/go.uuid v1.2.0
 	github.com/sirupsen/logrus v1.8.1
 	github.com/zclconf/go-cty v1.10.1-0.20220623211957-834994b84991
 	go.opentelemetry.io/otel v1.4.0
@@ -43,6 +42,7 @@ require (
 require (
 	github.com/algolia/algoliasearch-client-go/v3 v3.26.0
 	github.com/google/go-cmp v0.5.7
+	github.com/google/uuid v1.3.0
 )
 
 require (

diff --git a/go.sum b/go.sum
@@ -174,6 +174,8 @@ github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
@@ -277,8 +279,6 @@ github.com/russellhaering/gosaml2 v0.7.0 h1:gMHBQVGFOAHd7lXC0hoYXg3BcR80+4XgTxVM
 github.com/russellhaering/gosaml2 v0.7.0/go.mod h1:byViER/1YPUa0Puj9ROZblpoq2jsE7h/CJmitzX0geU=
 github.com/russellhaering/goxmldsig v1.2.0 h1:Y6GTTc9Un5hCxSzVz4UIWQ/zuVwDvzJk80guqzwx6Vg=
 github.com/russellhaering/goxmldsig v1.2.0/go.mod h1:gM4MDENBQf7M+V824SGfyIUVFWydB7n0KkEubVJl+Tw=
-github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=
-github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
 github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=

diff --git a/handler/middleware/uid.go b/handler/middleware/uid.go
@@ -5,8 +5,8 @@ import (
 	"net/http"
 	"regexp"
 
+	"github.com/google/uuid"
 	"github.com/rs/xid"
-	uuid "github.com/satori/go.uuid"
 
 	"github.com/avenga/couper/config"
 	"github.com/avenga/couper/config/request"
@@ -79,8 +79,9 @@ type UIDFunc func() string
 func NewUIDFunc(requestIDFormat string) UIDFunc {
 	var fn UIDFunc
 	if requestIDFormat == "uuid4" {
+		uuid.EnableRandPool() // Enabling the pool may improve the UUID generation throughput significantly.
 		fn = func() string {
-			return uuid.NewV4().String()
+			return uuid.NewString()
 		}
 	} else {
 		fn = func() string {

diff --git a/vendor/github.com/google/uuid/.travis.yml b/vendor/github.com/google/uuid/.travis.yml
diff --git a/vendor/github.com/google/uuid/CONTRIBUTING.md b/vendor/github.com/google/uuid/CONTRIBUTING.md
diff --git a/vendor/github.com/google/uuid/CONTRIBUTORS b/vendor/github.com/google/uuid/CONTRIBUTORS
diff --git a/vendor/github.com/google/uuid/LICENSE b/vendor/github.com/google/uuid/LICENSE
diff --git a/vendor/github.com/google/uuid/README.md b/vendor/github.com/google/uuid/README.md
diff --git a/vendor/github.com/google/uuid/dce.go b/vendor/github.com/google/uuid/dce.go
diff --git a/vendor/github.com/google/uuid/doc.go b/vendor/github.com/google/uuid/doc.go
diff --git a/vendor/github.com/google/uuid/hash.go b/vendor/github.com/google/uuid/hash.go
diff --git a/vendor/github.com/google/uuid/marshal.go b/vendor/github.com/google/uuid/marshal.go