Advisories for Golang/Github.com/Zeromicro/Go-Zero package

2024

Authorization Bypass Through User-Controlled Key in go-zero

Summary Hello go-zero maintainer team, I would like to report a security concerning your CORS Filter feature. Details Go-zero allows user to specify a CORS Filter with a configurable allows param - which is an array of domains allowed in CORS policy. However, the isOriginAllowed uses strings.HasSuffix to check the origin, which leads to bypass via domain like evil-victim.com func isOriginAllowed(allows []string, origin string) bool { for _, o := …