Package Instance

ZITADEL Go's GRPC example code vulnerability - GO-2024-2687 HTTP/2 CONTINUATION flood in net/http
### Summary
Applications using the `zitadel-go` `v3` library (`next` branch) might be impacted by package vulnerabilities.
The output of `govulncheck` suggests that only `example` code seems to be impacted, based on 1 of the 3 potential vulnerabilities. This vulnerability is located in the transitive dependency `golang.org/x/net v0.19.0`, [CVE-2023-45288](https://www.cve.org/CVERecord?id=CVE-2023-45288)

### Patches
3.0.0-next versions are fixed on >= [3.0.0-next.3](https://github.com/zitadel/zitadel-go/releases/tag/v3.0.0-next.3)

ZITADEL recommends upgrading to the latest versions available in due course.

### Workarounds

If updating the zitadel-go library is not an option, updating the affected (transient) dependencies works as a workaround.

### Details

#### Direct deps:

- [GO-2024-2631](https://pkg.go.dev/vuln/GO-2024-2631) Decompression bomb vulnerability in github.com/go-jose/go-jose
  - github.com/go-jose/go-jose/v3 Fixed in v3.0.3.

This module is necessary because [github.com/go-jose/go-jose/v3](https://pkg.go.dev/github.com/go-jose/go-jose/v3@v3.0.1) is imported in `github.com/zitadel/zitadel-go/v3/pkg/client/system`.

- [GO-2024-2611](https://pkg.go.dev/vuln/GO-2024-2611) Infinite loop in JSON unmarshaling in google.golang.org/protobuf
  - google.golang.org/protobuf/encoding/protojson
  - google.golang.org/protobuf/internal/encoding/json Fixed in v1.33.0.

This module is necessary because [google.golang.org/protobuf/reflect/protoreflect](https://pkg.go.dev/google.golang.org/protobuf@v1.31.0/reflect/protoreflect) is imported in `github.com/zitadel/zitadel-go/v3/example/api/grpc/proto`.

#### Transitive deps:
- [GO-2024-2687](https://pkg.go.dev/vuln/GO-2024-2687) HTTP/2 CONTINUATION flood in net/http
  - golang.org/x/net/http2 Fixed in v0.23.0.

This module is necessary because [golang.org/x/net/trace](https://pkg.go.dev/golang.org/x/net@v0.19.0/trace) is imported in:
  - `github.com/zitadel/zitadel-go/v3/example/api/grpc`
  - `google.golang.org/grpc`

#### `govulncheck`

```console
=== Symbol Results ===

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.19.0
    Fixed in: golang.org/x/net@v0.23.0
    Example traces found:
      #1: example/api/grpc/proto/api_grpc.pb.go:239:34: proto.exampleServiceAddTasksServer.Recv calls grpc.serverStream.RecvMsg, which eventually calls http2.ConnectionError.Error
      #2: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.ErrCode.String
      #3: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.FrameHeader.String
      #4: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.FrameType.String
      #5: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.ReadFrame
      #6: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteContinuation
      #7: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteData
      #8: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteGoAway
      #9: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteHeaders
      #10: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WritePing
      #11: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteRSTStream
      #12: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteSettings
      #13: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteSettingsAck
      #14: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.Framer.WriteWindowUpdate
      #15: example/api/grpc/proto/api_grpc.pb.go:239:34: proto.exampleServiceAddTasksServer.Recv calls grpc.serverStream.RecvMsg, which eventually calls http2.GoAwayError.Error
      #16: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.Setting.String
      #17: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.SettingID.String
      #18: example/api/grpc/main.go:63:24: grpc.main calls grpc.Server.Serve, which eventually calls http2.SettingsFrame.ForeachSetting
      #19: example/api/grpc/proto/api_grpc.pb.go:239:34: proto.exampleServiceAddTasksServer.Recv calls grpc.serverStream.RecvMsg, which eventually calls http2.StreamError.Error
      #20: example/app/app.go:111:27: app.main calls http.ListenAndServe, which eventually calls http2.chunkWriter.Write
      #21: example/api/grpc/proto/api_grpc.pb.go:239:34: proto.exampleServiceAddTasksServer.Recv calls grpc.serverStream.RecvMsg, which eventually calls http2.connError.Error
      #22: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.duplicatePseudoHeaderError.Error
      #23: pkg/client/auth.go:23:42: client.JWTAuthentication calls profile.NewJWTProfileTokenSource, which eventually calls http2.gzipReader.Close
      #24: pkg/authentication/state.go:20:26: authentication.State.Encrypt calls crypto.EncryptAES, which eventually calls http2.gzipReader.Read
      #25: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.headerFieldNameError.Error
      #26: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.headerFieldValueError.Error
      #27: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.pseudoHeaderError.Error
      #28: example/app/app.go:111:27: app.main calls http.ListenAndServe, which eventually calls http2.stickyErrWriter.Write
      #29: pkg/client/auth.go:23:42: client.JWTAuthentication calls profile.NewJWTProfileTokenSource, which eventually calls http2.transportResponseBody.Close
      #30: pkg/authentication/state.go:20:26: authentication.State.Encrypt calls crypto.EncryptAES, which eventually calls http2.transportResponseBody.Read
      #31: pkg/client/auth.go:92:20: client.ScopeProjectID calls fmt.Sprintf, which eventually calls http2.writeData.String

Your code is affected by 1 vulnerability from 1 module.
This scan also found 2 vulnerabilities in packages you import and 1
vulnerability in modules you require, but your code doesn't appear to call these
vulnerabilities.
```

### PoC
No specific configuration required.

### Impact
Indirect package vulnerability. Users following example code might be impacted.

### References

- https://pkg.go.dev/vuln/GO-2024-2631
- https://pkg.go.dev/vuln/GO-2024-2611
- https://pkg.go.dev/vuln/GO-2024-2687

### Credits

Thanks to @helpisdev for reporting this.