Affected by GO-2022-0540 and 47 other vulnerabilities

GO-2022-0540: Mattermost users could access some sensitive information via API call in github.com/mattermost/mattermost-server

GO-2022-0576: Insecure plugin handling in Mattermost in github.com/mattermost/mattermost-server

GO-2022-0595: Resource exhaustion in Mattermost in github.com/mattermost/mattermost-server

GO-2022-0599: Improper Control of a Resource Through its Lifetime in Mattermost in github.com/mattermost/mattermost-server

GO-2022-0604: Cross-site Scripting in Mattermost in github.com/mattermost/mattermost-server

GO-2022-0616: Improper Privilege Management in Mattermost in github.com/mattermost/mattermost-server

GO-2024-2444: Mattermost allows demoted guests to change group names in github.com/mattermost/mattermost-server

GO-2024-2446: Mattermost Cross-site Scripting vulnerability in github.com/mattermost/mattermost-server

GO-2024-2448: Mattermost notified all users in the channel when using WebSockets to respond individually in github.com/mattermost/mattermost-server

GO-2024-2450: Mattermost viewing archived public channels permissions vulnerability in github.com/mattermost/mattermost-server

GO-2024-2541: Mattermost vulnerable to denial of service via large number of emoji reactions in github.com/mattermost/mattermost-server

GO-2024-2566: Mattermost fails to check the required permissions in github.com/mattermost/mattermost-server

GO-2024-2588: Mattermost race condition in github.com/mattermost/mattermost-server

GO-2024-2589: Mattermost denial of service through long emoji value in github.com/mattermost/mattermost-server

GO-2024-2590: Mattermost leaks details of AD/LDAP groups of a teams in github.com/mattermost/mattermost-server

GO-2024-2591: Mattermost post fetching without auditing in compliance export in github.com/mattermost/mattermost-server

GO-2024-2592: Mattermost allows attackers access to posts in channels they are not a member of in github.com/mattermost/mattermost-server

GO-2024-2593: Mattermost fails to check the "invite_guest" permission in github.com/mattermost/mattermost-server

GO-2024-2594: Mattermost fails to limit the number of role names in github.com/mattermost/mattermost-server

GO-2024-2595: Mattermost fails to properly restrict the access of files attached to posts in github.com/mattermost/mattermost-server

GO-2024-2635: Mattermost incorrectly allows access individual posts in github.com/mattermost/mattermost-server

GO-2024-2695: Mattermost Server doesn't limit the number of user preferences in github.com/mattermost/mattermost-server

GO-2024-2696: Mattermost fails to authenticate the source of certain types of post actions in github.com/mattermost/mattermost-server

GO-2024-2706: Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server

GO-2024-2707: Mattermost Server Improper Access Control in github.com/mattermost/mattermost-server

GO-2024-3020: Mattermost allows a remote actor to permanently delete local data by abusing dangerous error handling in github.com/mattermost/mattermost-server

GO-2024-3022: Mattermost allows remote actor to set arbitrary RemoteId values for synced users in github.com/mattermost/mattermost-server

GO-2024-3023: Mattermost allows remote actor to create/update/delete posts in arbitrary channels in github.com/mattermost/mattermost-server

GO-2024-3024: Mattermost allows a user on a remote to set their remote username prop to an arbitrary string in github.com/mattermost/mattermost-server

GO-2024-3025: Mattermost failed to disallow the modification of local users when syncing users in shared channels in github.com/mattermost/mattermost-server

GO-2024-3028: Mattermost failed to properly validate that the channel that comes from the sync message is a shared channel in github.com/mattermost/mattermost-server

GO-2024-3030: Mattermost failed to properly validate synced reactions in github.com/mattermost/mattermost-server

GO-2024-3031: Mattermost allows a remote actor to make an arbitrary local channel read-only in github.com/mattermost/mattermost-server

GO-2024-3032: Mattermost did not properly restrict channel creation in github.com/mattermost/mattermost-server

GO-2024-3089: Mattermost allows guest user with read access to upload files to a channel in github.com/mattermost/mattermost-server

GO-2024-3090: Mattermost allows team admin user without "Add Team Members" permission to disable invite URL in github.com/mattermost/mattermost-server

GO-2024-3091: Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams in github.com/mattermost/mattermost-server

GO-2024-3092: Mattermost allows unsolicited invites to expose access to local channels in github.com/mattermost/mattermost-server

GO-2024-3093: Mattermost doesn't redact remote users' original email addresses in github.com/mattermost/mattermost-server

GO-2024-3094: Mattermost doesn't restrict which roles can promote a user as system admin in github.com/mattermost/mattermost-server

GO-2024-3096: Mattermost allows remote/synthetic users to create sessions, reset passwords in github.com/mattermost/mattermost-server

GO-2024-3097: Mattermost Cross-Site Request Forgery vulnerability in github.com/mattermost/mattermost-server

GO-2024-3164: Mattermost fails to strip `embeds` from `metadata` when broadcasting `posted` events in github.com/mattermost/mattermost-server

GO-2024-3227: Mattermost incorrectly issues two sessions when using desktop SSO in github.com/mattermost/mattermost-server

GO-2024-3232: Mattermost Server allows user to get private channel names in github.com/mattermost/mattermost-server

GO-2024-3233: Mattermost Server Path Traversal vulnerability that leads to Cross-Site Request Forgery in github.com/mattermost/mattermost-server

GO-2024-3234: Mattermost Server vulnerable to application crash from attacker-generated large response in github.com/mattermost/mattermost-server

GO-2024-3235: Mattermost server allows authenticated user to delete arbitrary post in github.com/mattermost/mattermost-server

The highest tagged major version is v6.

audit

package

v5.24.2-rc1 Latest Latest Go to latest Published: Jun 26, 2020 License: AGPL-3.0, Apache-2.0 Imports: 14 Imported by: 15

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/mattermost/mattermost-server

Documentation ¶

Index ¶

Constants
func NewFileTarget(filter logr.Filter, formatter logr.Formatter, opts FileOptions, maxQSize int) (*target.File, error)
type Audit
type FileOptions
type FuncMetaTypeConv
type Level
type Meta
type Record
type SyslogParams
type SyslogTLS
- func NewSyslogTLSTarget(filter logr.Filter, formatter logr.Formatter, params *SyslogParams, ...) (*SyslogTLS, error)

Constants ¶

View Source

const (
	DefMaxQueueSize = 1000

	KeyAPIPath   = "api_path"
	KeyEvent     = "event"
	KeyStatus    = "status"
	KeyUserID    = "user_id"
	KeySessionID = "session_id"
	KeyClient    = "client"
	KeyIPAddress = "ip_address"
	KeyClusterID = "cluster_id"

	Success = "success"
	Attempt = "attempt"
	Fail    = "fail"
)

Variables ¶

This section is empty.

Functions ¶

func NewFileTarget ¶

func NewFileTarget(filter logr.Filter, formatter logr.Formatter, opts FileOptions, maxQSize int) (*target.File, error)

NewFileTarget creates a target capable of outputting log records to a rotated file.

Types ¶

type Audit ¶

type Audit struct {

	// OnQueueFull is called on an attempt to add an audit record to a full queue.
	// On return the calling goroutine will block until the audit record can be added.
	OnQueueFull func(qname string, maxQueueSize int)

	// OnError is called when an error occurs while writing an audit record.
	OnError func(err error)
	// contains filtered or unexported fields
}

func (*Audit) AddTarget ¶

func (a *Audit) AddTarget(target logr.Target)

AddTarget adds a Logr target to the list of targets each audit record will be output to.

func (*Audit) Init ¶

func (a *Audit) Init(maxQueueSize int)

func (*Audit) Log ¶

func (a *Audit) Log(level Level, path string, evt string, status string, userID string, sessionID string, meta Meta)

Log emits an audit record based on minimum required info.

func (*Audit) LogRecord ¶

func (a *Audit) LogRecord(level Level, rec Record)

LogRecord emits an audit record with complete info.

func (*Audit) MakeFilter ¶

func (a *Audit) MakeFilter(level ...Level) *logr.CustomFilter

MakeFilter creates a filter which only allows the specified audit levels to be output.

func (*Audit) MakeJSONFormatter ¶

func (a *Audit) MakeJSONFormatter() *format.JSON

MakeJSONFormatter creates a formatter that outputs JSON suitable for audit records.

func (*Audit) Shutdown ¶

func (a *Audit) Shutdown()

Shutdown cleanly stops the audit engine after making best efforts to flush all targets.

type FileOptions ¶

type FileOptions target.FileOptions

type FuncMetaTypeConv ¶ added in v5.24.0

type FuncMetaTypeConv func(val interface{}) (newVal interface{}, converted bool)

FuncMetaTypeConv defines a function that can convert meta data types into something that serializes well for audit records.

type Level ¶

type Level logr.Level

type Meta ¶

type Meta map[string]interface{}

Meta represents metadata that can be added to a audit record as name/value pairs.

type Record ¶

type Record struct {
	APIPath   string
	Event     string
	Status    string
	UserID    string
	SessionID string
	Client    string
	IPAddress string
	Meta      Meta
	// contains filtered or unexported fields
}

Record provides a consistent set of fields used for all audit logging.

func (*Record) AddMeta ¶

func (rec *Record) AddMeta(name string, val interface{})

AddMeta adds a single name/value pair to this audit record's metadata.

func (*Record) AddMetaTypeConverter ¶ added in v5.24.0

func (rec *Record) AddMetaTypeConverter(f FuncMetaTypeConv)

AddMetaTypeConverter adds a function capable of converting meta field types into something more suitable for serialization.

func (*Record) Fail ¶

func (rec *Record) Fail()

Success marks the audit record status as failed.

func (*Record) Success ¶

func (rec *Record) Success()

Success marks the audit record status as successful.

type SyslogParams ¶

type SyslogParams struct {
	Raddr    string
	Cert     string
	Tag      string
	Insecure bool
}

SyslogParams provides parameters for dialing a syslogTLS daemon.

type SyslogTLS ¶

type SyslogTLS struct {
	logr.Basic
	// contains filtered or unexported fields
}

Syslog outputs log records to local or remote syslog.

func NewSyslogTLSTarget ¶

func NewSyslogTLSTarget(filter logr.Filter, formatter logr.Formatter, params *SyslogParams, maxQueue int) (*SyslogTLS, error)

NewSyslogTLSTarget creates a target capable of outputting log records to remote or local syslog via TLS.

func (*SyslogTLS) Shutdown ¶

func (s *SyslogTLS) Shutdown(ctx context.Context) error

Shutdown stops processing log records after making best effort to flush queue.

func (*SyslogTLS) String ¶

func (s *SyslogTLS) String() string

String returns a string representation of this target.

func (*SyslogTLS) Write ¶

func (s *SyslogTLS) Write(rec *logr.LogRec) error

Write converts the log record to bytes, via the Formatter, and outputs to syslog via TLS.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL