Impact
What kind of vulnerability is it? Who is impacted?
Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints.
The relevant code is here (also inline, emphasis added):
if p.Client == nil {
p.Client = **http.DefaultClient**
}
if p.roundTripper != nil {
p.Client.**Transport = p.roundTripper**
}
When the transport is populated with an authenticated transport such as:
... then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to
any endpoint it is used to contact!
Found and patched by: @tcnghia and @mattmoor
Patches
v.2.15.2
Impact
What kind of vulnerability is it? Who is impacted?
Using cloudevents.WithRoundTripper to create a cloudevents.Client with an authenticated http.RoundTripper causes the go-sdk to leak credentials to arbitrary endpoints.
The relevant code is here (also inline, emphasis added):
if p.Client == nil { p.Client = **http.DefaultClient** } if p.roundTripper != nil { p.Client.**Transport = p.roundTripper** }When the transport is populated with an authenticated transport such as:
... then http.DefaultClient is modified with the authenticated transport and will start to send Authorization tokens to
any endpoint it is used to contact!
Found and patched by: @tcnghia and @mattmoor
Patches
v.2.15.2