GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder

The highest tagged major version is v2.

audit

package

v0.5.3 Latest Latest Go to latest Published: May 2, 2022 License: AGPL-3.0 Imports: 3 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/coder/coder

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func Empty[T Auditable]() T
type Action
- func (t Action) String() string
type Auditable
type Map
- func Diff[T Auditable](left, right T) Map
type Table

Constants ¶

View Source

const (
	// ActionIgnore ignores diffing for the field.
	ActionIgnore = "ignore"
	// ActionTrack includes the value in the diff if the value changed.
	ActionTrack = "track"
	// ActionSecret includes a zero value of the same type if the value changed.
	// It lets you indicate that a value changed, but without leaking its
	// contents.
	ActionSecret = "secret"
)

Variables ¶

View Source

var AuditableResources = auditMap(map[any]map[string]Action{
	&database.User{}: {
		"id":              ActionIgnore,
		"email":           ActionTrack,
		"username":        ActionIgnore,
		"hashed_password": ActionSecret,
		"created_at":      ActionIgnore,
		"updated_at":      ActionIgnore,
		"status":          ActionTrack,
		"rbac_roles":      ActionTrack,
	},
	&database.Workspace{}: {
		"id":                 ActionIgnore,
		"created_at":         ActionIgnore,
		"updated_at":         ActionIgnore,
		"owner_id":           ActionIgnore,
		"template_id":        ActionIgnore,
		"deleted":            ActionIgnore,
		"name":               ActionIgnore,
		"autostart_schedule": ActionTrack,
		"autostop_schedule":  ActionTrack,
	},
})

AuditableResources contains a definitive list of all auditable resources and which fields are auditable.

Functions ¶

func Empty ¶

func Empty[T Auditable]() T

Types ¶

type Action ¶

type Action string

func (Action) String ¶

func (t Action) String() string

type Auditable ¶

type Auditable interface {
	database.User |
		database.Workspace
}

Auditable is mostly a marker interface. It contains a definitive list of all auditable types. If you want to audit a new type, first define it in AuditableResources, then add it to this interface.

type Map ¶

type Map map[string]interface{}

TODO: this might need to be in the database package.

func Diff ¶

func Diff[T Auditable](left, right T) Map

Diff compares two auditable resources and produces a Map of the changed values.

type Table ¶

type Table map[string]map[string]Action

Table is a map of struct names to a map of field names that indicate that field's AuditType.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL