Snider/Poindexter
1
0
Fork 2
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Poindexter/AUDIT-OWASP.md
google-labs-jules[bot] 0b69e4e0b3 feat: Perform OWASP Top 10 security audit and remediation 
This commit introduces a security audit of the codebase against the OWASP Top 10.

The key findings and remediations include:
- A06: Vulnerable and Outdated Components - Identified that the project's Go version was outdated. The audit report recommends an upgrade.
- A10: Server-Side Request Forgery (SSRF) - Remediated an SSRF vulnerability in the RDAP lookup functions by sanitizing user-provided input with `url.PathEscape`.
- A03: Injection - Mitigated a potential injection vector in the DNS lookup functions by adding a regex-based validation for domain names.

An `AUDIT-OWASP.md` file has been added to the repository root to document these findings and actions taken.

Co-authored-by: Snider <631881+Snider@users.noreply.github.com>
2026-02-02 01:18:14 +00:00

1.4 KiB
Raw Permalink Blame History

OWASP Top 10 Security Audit

Summary

0 critical, 2 high, 1 medium findings

Findings by Category

A06: Vulnerable and Outdated Components (High)

  • Finding: The govulncheck tool identified 13 vulnerabilities in the Go standard library, stemming from an outdated Go version.
  • Remediation: It is recommended to upgrade the project's Go version to the latest stable release to mitigate these vulnerabilities.

A10: Server-Side Request Forgery (SSRF) (High)

  • Finding: The RDAPLookupDomainWithTimeout, RDAPLookupIPWithTimeout, and RDAPLookupASNWithTimeout functions constructed request URLs by directly embedding user-provided inputs. This could have allowed a malicious actor to craft inputs that would cause the server to make requests to internal resources.
  • Remediation: All user-provided inputs (domain, ip, and asn) are now sanitized using url.PathEscape() before being included in the request URL, preventing path traversal and other SSRF-style attacks.

A03: Injection (Medium)

  • Finding: The DNSLookup... functions did not sanitize the domain parameter, which could have led to unexpected behavior if special characters were provided as input.
  • Remediation: The domain parameter is now validated using a regular expression to ensure it conforms to a valid domain name format, mitigating the risk of injection attacks.