govulncheck vulnerability GO-2023-1571 for golang.org/x/net and golang.org/x/net/http2

[kevinmichaelchen]

Description

On the latest v1.8.2 tag, govulncheck is reporting a vulnerability (GO-2023-1571):

Vulnerability #1: GO-2023-1571
  A maliciously crafted HTTP/2 stream could cause excessive CPU
  consumption in the HPACK decoder, sufficient to cause a denial
  of service from a small number of small requests.

  Found in: golang.org/x/net/[email protected]
  Fixed in: golang.org/x/net/[email protected]
  More info: https://pkg.go.dev/vuln/GO-2023-1571

Pull Request

I think this should fix things: #3505

How to reproduce

Reproduction is the Gin codebase itself.

Run:

go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...

Expectations

No vulnerabilities should be reported.

Solution

Bumping the version of golang.org/x/net to v0.7.0 should fix things.

go get "golang.org/x/net/http2"
govulncheck ./...

Actual result

$ curl -i http://localhost:8201/hello/world
<YOUR RESULT>

Environment

• go version: v1.19.6
• gin version (or commit ref): v1.8.2
• operating system: macOS Ventura 13.2, Apple M1 Max