Affected by GO-2024-2637 and 12 other vulnerabilities

GO-2024-2637: Account Takeover via Session Fixation in Zitadel [Bypassing MFA] in github.com/zitadel/zitadel

GO-2024-2664: ZITADEL's actions can overload reserved claims in github.com/zitadel/zitadel

GO-2024-2665: ZITADEL's Improper Content-Type Validation Leads to Account Takeover via Stored XSS + CSP Bypass in github.com/zitadel/zitadel

GO-2024-2788: ZITADEL's Improper Lockout Mechanism Leads to MFA Bypass in github.com/zitadel/zitadel

GO-2024-2804: Zitadel exposing internal database user name and host information in github.com/zitadel/zitadel

GO-2024-2968: ZITADEL Vulnerable to Session Information Leakage in github.com/zitadel/zitadel

GO-2024-3014: ZITADEL "ignoring unknown usernames" vulnerability in github.com/zitadel/zitadel

GO-2024-3015: ZITADEL has improper HTML sanitization in emails and Console UI in github.com/zitadel/zitadel

GO-2024-3137: ZITADEL's User Grant Deactivation not Working in github.com/zitadel/zitadel

GO-2024-3138: ZITADEL Allows Unauthorized Access After Organization or Project Deactivation in github.com/zitadel/zitadel

GO-2024-3139: ZITADEL's Service Users Deactivation not Working in github.com/zitadel/zitadel

GO-2024-3216: Denied Host Validation Bypass in Zitadel Actions in github.com/zitadel/zitadel

GO-2024-3217: User Registration Bypass in Zitadel in github.com/zitadel/zitadel

http

package

v1.84.1 Latest Latest Go to latest Published: May 20, 2022 License: Apache-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/zitadel/zitadel

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func CopyHeadersToContext(h http.Handler) http.Handler
func CreateListener(endpoint string) net.Listener
func Endpoint(endpoint string) string
func GetAuthorization(r *http.Request) string
func GetForwardedFor(headers http.Header) (string, bool)
func GetOrgID(r *http.Request) string
func GetOriginFromURLString(s string) (string, error)
func HeadersFromCtx(ctx context.Context) (http.Header, bool)
func IsOrigin(rawOrigin string) bool
func IsOriginAllowed(allowList []string, origin string) bool
func MarshalJSON(w http.ResponseWriter, i interface{}, err error, statusCode int)
func RegisterHandler(mux *http.ServeMux, prefix string, handler http.Handler)
func RemoteAddrFromCtx(ctx context.Context) string
func RemoteIPFromCtx(ctx context.Context) string
func RemoteIPFromRequest(r *http.Request) net.IP
func RemoteIPStringFromRequest(r *http.Request) string
func Serve(ctx context.Context, handler http.Handler, port, servername string)
func SetCookiePrefix(name, domain, path string, secureOnly bool) string
func TokenUrl(domain, token string, checkType CheckType) (string, error)
func ValidateDomain(domain, token, verifier string, checkType CheckType) error
func ValidateDomainDNS(domain, verifier string) error
func ValidateDomainHTTP(domain, token, verifier string) error
type CheckType
type CookieHandler
- func NewCookieHandler(opts ...CookieHandlerOpt) *CookieHandler
- func (c *CookieHandler) DeleteCookie(w http.ResponseWriter, name string)
- func (c *CookieHandler) GetCookieValue(r *http.Request, name string) (string, error)
- func (c *CookieHandler) GetEncryptedCookieValue(r *http.Request, name string, value interface{}) error
- func (c *CookieHandler) SetCookie(w http.ResponseWriter, name string, value string)
- func (c *CookieHandler) SetEncryptedCookie(w http.ResponseWriter, name string, value interface{}) error
type CookieHandlerOpt
- func WithDomain(domain string) CookieHandlerOpt
- func WithEncryption(hashKey, encryptKey []byte) CookieHandlerOpt
- func WithMaxAge(maxAge int) CookieHandlerOpt
- func WithNonHttpOnly() CookieHandlerOpt
- func WithPath(path string) CookieHandlerOpt
- func WithSameSite(sameSite http.SameSite) CookieHandlerOpt
- func WithUnsecure() CookieHandlerOpt
type Parser
- func NewParser() *Parser
- func (p *Parser) Parse(r *http.Request, data interface{}) error

Constants ¶

View Source

const (
	CheckTypeHTTP CheckType = iota
	CheckTypeDNS

	HTTPPattern = "https://%s/.well-known/zitadel-challenge/%s"
	DNSPattern  = "_zitadel-challenge.%s"
)

View Source

const (
	Authorization   = "authorization"
	Accept          = "accept"
	AcceptLanguage  = "accept-language"
	CacheControl    = "cache-control"
	ContentType     = "content-type"
	ContentLength   = "content-length"
	Expires         = "expires"
	Location        = "location"
	Origin          = "origin"
	Pragma          = "pragma"
	UserAgentHeader = "user-agent"
	ForwardedFor    = "x-forwarded-for"
	XUserAgent      = "x-user-agent"
	XGrpcWeb        = "x-grpc-web"

	ContentSecurityPolicy   = "content-security-policy"
	XXSSProtection          = "x-xss-protection"
	StrictTransportSecurity = "strict-transport-security"
	XFrameOptions           = "x-frame-options"
	XContentTypeOptions     = "x-content-type-options"
	ReferrerPolicy          = "referrer-policy"
	FeaturePolicy           = "feature-policy"
	PermissionsPolicy       = "permissions-policy"

	ZitadelOrgID = "x-zitadel-orgid"
)

View Source

const (
	Healthz    = "/healthz"
	Readiness  = "/ready"
	Validation = "/validate"
)

Variables ¶

View Source

var (
	Probes = []string{Healthz, Readiness, Validation}
)

Functions ¶

func CopyHeadersToContext ¶

func CopyHeadersToContext(h http.Handler) http.Handler

func CreateListener ¶

func CreateListener(endpoint string) net.Listener

func Endpoint ¶

func Endpoint(endpoint string) string

func GetAuthorization ¶

func GetAuthorization(r *http.Request) string

func GetForwardedFor ¶

func GetForwardedFor(headers http.Header) (string, bool)

func GetOrgID ¶

func GetOrgID(r *http.Request) string

func GetOriginFromURLString ¶

func GetOriginFromURLString(s string) (string, error)

func HeadersFromCtx ¶

func HeadersFromCtx(ctx context.Context) (http.Header, bool)

func IsOrigin ¶

func IsOrigin(rawOrigin string) bool

IsOrigin checks if provided string is an origin (scheme://hostname[:port]) without path, query or fragment

func IsOriginAllowed ¶

func IsOriginAllowed(allowList []string, origin string) bool

func MarshalJSON ¶

func MarshalJSON(w http.ResponseWriter, i interface{}, err error, statusCode int)

func RegisterHandler ¶

func RegisterHandler(mux *http.ServeMux, prefix string, handler http.Handler)

func RemoteAddrFromCtx ¶

func RemoteAddrFromCtx(ctx context.Context) string

func RemoteIPFromCtx ¶

func RemoteIPFromCtx(ctx context.Context) string

func RemoteIPFromRequest ¶

func RemoteIPFromRequest(r *http.Request) net.IP

func RemoteIPStringFromRequest ¶

func RemoteIPStringFromRequest(r *http.Request) string

func Serve ¶

func Serve(ctx context.Context, handler http.Handler, port, servername string)

func SetCookiePrefix ¶

func SetCookiePrefix(name, domain, path string, secureOnly bool) string

func TokenUrl ¶

func TokenUrl(domain, token string, checkType CheckType) (string, error)

func ValidateDomain ¶

func ValidateDomain(domain, token, verifier string, checkType CheckType) error

func ValidateDomainDNS ¶

func ValidateDomainDNS(domain, verifier string) error

func ValidateDomainHTTP ¶

func ValidateDomainHTTP(domain, token, verifier string) error

Types ¶

type CheckType ¶

type CheckType int

type CookieHandler ¶

type CookieHandler struct {
	// contains filtered or unexported fields
}

func NewCookieHandler ¶

func NewCookieHandler(opts ...CookieHandlerOpt) *CookieHandler

func (*CookieHandler) DeleteCookie ¶

func (c *CookieHandler) DeleteCookie(w http.ResponseWriter, name string)

func (*CookieHandler) GetCookieValue ¶

func (c *CookieHandler) GetCookieValue(r *http.Request, name string) (string, error)

func (*CookieHandler) GetEncryptedCookieValue ¶

func (c *CookieHandler) GetEncryptedCookieValue(r *http.Request, name string, value interface{}) error

func (*CookieHandler) SetCookie ¶

func (c *CookieHandler) SetCookie(w http.ResponseWriter, name string, value string)

func (*CookieHandler) SetEncryptedCookie ¶

func (c *CookieHandler) SetEncryptedCookie(w http.ResponseWriter, name string, value interface{}) error

type CookieHandlerOpt ¶

type CookieHandlerOpt func(*CookieHandler)

func WithDomain ¶

func WithDomain(domain string) CookieHandlerOpt

func WithEncryption ¶

func WithEncryption(hashKey, encryptKey []byte) CookieHandlerOpt

func WithMaxAge ¶

func WithMaxAge(maxAge int) CookieHandlerOpt

func WithNonHttpOnly ¶

func WithNonHttpOnly() CookieHandlerOpt

func WithPath ¶

func WithPath(path string) CookieHandlerOpt

func WithSameSite ¶

func WithSameSite(sameSite http.SameSite) CookieHandlerOpt

func WithUnsecure ¶

func WithUnsecure() CookieHandlerOpt

type Parser ¶

type Parser struct {
	// contains filtered or unexported fields
}

func NewParser ¶

func NewParser() *Parser

func (*Parser) Parse ¶

func (p *Parser) Parse(r *http.Request, data interface{}) error

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
middleware

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL