lukaszraczylo/traefikoidc
1
0
Fork 0
mirror of https://github.com/lukaszraczylo/traefikoidc.git synced 2026-06-05 22:44:17 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
4d28fa01abe035d4b8d334a101cab0781fea4028
traefikoidc/SECURITY_FIX.md
T
lukaszraczylo 57724918fe fix 116 (#118) 
* Fix cache serialisation

* fix(cache): add integer overflow protection for serialization

- [x] Add maxCacheEntrySize constant (64 MiB) to prevent memory overflow
- [x] Validate byte slice size before adding marker byte
- [x] Validate JSON-serialized data size before marker addition
- [x] Add comprehensive overflow protection test cases

* docs: add security fix documentation for integer overflow protection

* test: fix goroutine tests to use mock OIDC servers

The TestContextAwareGoroutineManagement tests were making real HTTP
calls to hardcoded URLs like https://example.com, causing failures
in CI when those requests timeout or return HTTP errors.

Changes:
- Added createMockOIDCServer() helper function using httptest
- Updated GoroutineCleanupOnContextCancel to use mock server
- Updated NoGoroutineLeakOnMultipleInstances to use 3 mock servers
- Updated SingletonTasksAcrossInstances to use mock servers array

This prevents network calls and makes tests more reliable and faster.

Fixes test failures in GitHub Actions CI.
2026-01-08 22:50:46 +00:00

1.2 KiB
Raw Blame History

Security Fix: Integer Overflow Protection in Cache Serialization

Summary

Fixed High severity integer overflow vulnerability identified by GitHub Advanced Security in PR #117.

Vulnerability

Locations: universal_cache.go lines 789 and 811

  • result := make([]byte, len(bytes)+1) - Raw bytes path
  • result := make([]byte, len(jsonData)+1) - JSON encoding path

Risk: Potential integer overflow when allocating memory for very large cache entries.

Fix Applied

  1. Added size limit constant:

    maxCacheEntrySize = 64 * 1024 * 1024 // 64 MiB

  2. Size validation before allocation:

    • Validates entry size doesn't exceed limit
    • Validates adding marker byte won't overflow
    • Returns descriptive error messages

  3. Comprehensive test coverage:

    • Oversized byte slices (>64 MiB)
    • Exact max size edge case
    • Safe sizes (normal operation)
    • Large JSON data structures

Verification

All tests pass with race detection No security issues (golangci-lint, gosec) 76.3% test coverage maintained

Impact

  • No breaking changes
  • Negligible performance overhead
  • Prevents potential buffer overflows
  • Predictable memory usage

Date: January 8, 2026 Severity: High → Resolved

Reference in New Issue View Git Blame Copy Permalink