chore(deps): update module github.com/go-chi/chi/v5 to v5.2.2 [security]

[gabe565-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/go-chi/chi/v5	v5.2.1 -> v5.2.2

GitHub Vulnerability Alerts

GHSA-vrw8-fxc6-2r93

Summary

The RedirectSlashes function in middleware/strip.go is vulnerable to host header injection which leads to open redirect.

We consider this a lower-severity open redirect, as it can't be exploited from browsers or email clients (requires manipulation of a Host header).

Details

The RedirectSlashes method uses the Host header to construct the redirectURL at this line https://github.com/go-chi/chi/blob/master/middleware/strip.go#L55

The Host header can be manipulated by a user to be any arbitrary host. This leads to open redirect when using the RedirectSlashes middleware

PoC

Create a simple server which uses the RedirectSlashes middleware

package main

import (
	"fmt"
	"net/http"

	"github.com/go-chi/chi/v5"
	"github.com/go-chi/chi/v5/middleware" // Import the middleware package
)

func main() {
	// Create a new Chi router
	r := chi.NewRouter()

	// Use the built-in RedirectSlashes middleware
	r.Use(middleware.RedirectSlashes) // Use middleware.RedirectSlashes

	// Define a route handler
	r.Get("/", func(w http.ResponseWriter, r *http.Request) {
		// A simple response
		w.Write([]byte("Hello, World!"))
	})

	// Start the server
	fmt.Println("Starting server on :8080")
	http.ListenAndServe(":8080", r)
}

Run the server go run main.go

Once the server is running, send a request that will trigger the RedirectSlashes function with an arbitrary Host header
curl -iL -H "Host: example.com" http://localhost:8080/test/

Observe that the request will be redirected to example.com

curl -L -H "Host: example.com" http://localhost:8080/test/

<!doctype html>
<html>
<head>
    <title>Example Domain</title>

    <meta charset="utf-8" />
    <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <style type="text/css">
    body {
        background-color: #f0f0f2;
        margin: 0;
        padding: 0;
        font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
... snipped ...

Without the host header, the response is returned from the test server

curl -L http://localhost:8080/test/

404 page not found

Impact

An open redirect vulnerability allows attackers to trick users into visiting malicious sites. This can lead to phishing attacks, credential theft, and malware distribution, as users trust the application’s domain while being redirected to harmful sites.

Potential mitigation

It seems that the purpose of the RedirectSlashes function is to redirect within the same application. In that case r.RequestURI can be used instead of r.Host by default. If there is a use case to redirect to a different host, a flag can be added to use the Host header instead. As this flag will be controlled by the developer they will make the decision of allowing redirects to arbitrary hosts based on their judgement.

---

Release Notes

go-chi/chi (github.com/go-chi/chi/v5)

v5.2.2

Compare Source

What's Changed

• Use strings.Cut in a few places by @​JRaspass in #​971
• Fix non-constant format strings in t.Fatalf by @​JRaspass in #​972
• Apply fieldalignment fixes to optimize struct memory layout by @​pixel365 in #​974
• go 1.24 by @​pkieltyka in #​977
• chore: delint ioutil usage by @​costela in #​962
• Fixed typo in Router interface definition by @​mithileshgupta12 in #​958
• Add support for TinyGo by @​efraimbart in #​978
• Exclude middleware/profiler.go in TinyGo, as there's no net/http/pprof pkg by @​cxjava in #​982
• Make use of strings.Cut by @​scop in #​1005
• Change install command format to code block by @​sglkc in #​1001
• Correct documentation by @​mrdomino in #​992

Security fix

• Fixes GHSA-vrw8-fxc6-2r93 - "Host Header Injection Leads to Open Redirect in RedirectSlashes" commit
  • a lower-severity Open Redirect that can't be exploited in browser or email client, as it requires manipulation of a Host header
  • reported by Anuraag Baishya, @​anuraagbaishya. Thank you!

New Contributors

• @​pixel365 made their first contribution in #​974
• @​mithileshgupta12 made their first contribution in #​958
• @​efraimbart made their first contribution in #​978
• @​cxjava made their first contribution in #​982
• @​sglkc made their first contribution in #​1001
• @​mrdomino made their first contribution in #​992

Full Changelog: go-chi/chi@v5.2.1...v5.2.2

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	github.com/​go-chi/​chi/​v5@​v5.2.1 ⏵ v5.2.2		+3

View full report