GHSA-9c5w-9q3f-3hv7: Minder's GitHub Webhook Handler vulnerable to DoS from un-validated requests
Minder’s HandleGithubWebhook is susceptible to a denial of service attack from an untrusted HTTP request. The vulnerability exists before the request has been validated, and as such the request is still untrusted at the point of failure. This allows an attacker with the ability to send requests to HandleGithubWebhook to crash the Minder controlplane and deny other users from using it.
One of the first things that HandleGithubWebhook does is to validate the payload signature. This is done by way of the internal helper validatePayloadSignature:
References
- github.com/advisories/GHSA-9c5w-9q3f-3hv7
- github.com/stacklok/minder
- github.com/stacklok/minder/blob/ee66f6c0763212503c898cfefb65ce1450c7f5ac/internal/controlplane/handlers_githubwebhooks.go
- github.com/stacklok/minder/blob/ee66f6c0763212503c898cfefb65ce1450c7f5ac/internal/controlplane/handlers_githubwebhooks.go
- github.com/stacklok/minder/blob/ee66f6c0763212503c898cfefb65ce1450c7f5ac/internal/controlplane/handlers_githubwebhooks.go
- github.com/stacklok/minder/blob/ee66f6c0763212503c898cfefb65ce1450c7f5ac/internal/controlplane/handlers_githubwebhooks_test.go
- github.com/stacklok/minder/commit/3e5a527d2f1b535159206161d1d519602c75bd0d
- github.com/stacklok/minder/security/advisories/GHSA-9c5w-9q3f-3hv7
Code Behaviors & Features
Detect and mitigate GHSA-9c5w-9q3f-3hv7 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →