mirror of
https://github.com/TecharoHQ/anubis.git
synced 2026-05-20 13:20:31 +00:00
Xe Iaso
324c2f4fed
pprof[1] is the Go standard library profiling toolkit. It is invaluable for diagnosing how Go programs perform in the wild. However it also is able to expose secret data set with command line flags. This is not ideal and should be mitigated by correctly configured firewall rules. We don't live in a world where people correctly configure firewall rules, so we have to fix things for people. Welcome to 2026. [1]: https://pkg.go.dev/runtime/pprof Ref: AWOO-001 Signed-off-by: Xe Iaso <me@xeiaso.net>
50 lines
1.0 KiB
Go
50 lines
1.0 KiB
Go
package metrics
|
|
|
|
import (
|
|
"context"
|
|
"io"
|
|
"log/slog"
|
|
"net"
|
|
"net/http"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/TecharoHQ/anubis/lib/config"
|
|
)
|
|
|
|
func TestMetricsPprofCmdlineExposedWithoutAuthentication(t *testing.T) {
|
|
ln, err := net.Listen("tcp", "127.0.0.1:0")
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
addr := ln.Addr().String()
|
|
_ = ln.Close()
|
|
|
|
ctx, cancel := context.WithCancel(context.Background())
|
|
defer cancel()
|
|
done := make(chan struct{})
|
|
srv := &Server{
|
|
Config: &config.Metrics{Network: "tcp", Bind: addr},
|
|
Log: slog.Default(),
|
|
}
|
|
go srv.Run(ctx, func() { close(done) })
|
|
|
|
url := "http://" + addr + "/debug/pprof/cmdline"
|
|
var body []byte
|
|
resp, err := http.Get(url)
|
|
if err == nil {
|
|
body, err = io.ReadAll(resp.Body)
|
|
if err != nil {
|
|
t.Fatalf("can't read body: %v", err)
|
|
}
|
|
defer resp.Body.Close()
|
|
}
|
|
time.Sleep(50 * time.Millisecond)
|
|
if strings.Contains(string(body), "metrics.test") {
|
|
t.Fatalf("pprof is enabled by default, cmdline process arguments: %q", string(body))
|
|
}
|
|
cancel()
|
|
<-done
|
|
}
|