Affected by GO-2024-2442 and 3 other vulnerabilities

GO-2024-2442: Withdrawn Advisory: Teleport Access List owners can escalate their privileges in github.com/gravitational/teleport

GO-2024-2445: Withdrawn Advisory: SFTP is possible on the Proxy server for any user with SFTP access in github.com/gravitational/teleport

GO-2024-2447: Withdrawn Advisory: Teleport Proxy and Teleport Agents: SSRF to arbitrary hosts is possible from low privileged users in github.com/gravitational/teleport

GO-2024-2449: Withdrawn Advisory: User-provided environment values allow execution on macOS agents in github.com/gravitational/teleport

csrf

package

v1.2.3-fred.12 Latest Latest Go to latest Published: Nov 1, 2022 License: Apache-2.0 Imports: 5 Imported by: 50

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/gravitational/teleport

Documentation ¶

Index ¶

Constants
func AddCSRFProtection(w http.ResponseWriter, r *http.Request) (string, error)
func ExtractTokenFromCookie(r *http.Request) (string, error)
func VerifyHTTPHeader(r *http.Request) error
func VerifyToken(token string, r *http.Request) error

Constants ¶

View Source

const (
	// CookieName is the name of the CSRF cookie. It's prefixed with "__Host-" as
	// an additional defense in depth measure. It makes sure it is sent from a
	// secure page (HTTPS), won't be sent to subdomains, and the path attribute
	// is set to /.
	CookieName = "__Host-grv_csrf"
	// HeaderName is the default HTTP request header to inspect.
	HeaderName = "X-CSRF-Token"
)

Variables ¶

This section is empty.

Functions ¶

func AddCSRFProtection ¶

func AddCSRFProtection(w http.ResponseWriter, r *http.Request) (string, error)

AddCSRFProtection adds CSRF token into the user session via secure cookie, it implements "double submit cookie" approach to check against CSRF attacks https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet#Double_Submit_Cookie

func ExtractTokenFromCookie ¶

func ExtractTokenFromCookie(r *http.Request) (string, error)

ExtractTokenFromCookie retrieves a CSRF token from the session cookie.

func VerifyHTTPHeader ¶

func VerifyHTTPHeader(r *http.Request) error

VerifyHTTPHeader checks if HTTP header value matches the cookie.

func VerifyToken ¶

func VerifyToken(token string, r *http.Request) error

VerifyToken validates given token based on HTTP request cookie

Types ¶

This section is empty.

Source Files ¶

View all Source files

csrf.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL