Athens: Non Random UUID's

Created on 31 Jul 2018  路  3Comments  路  Source: gomods/athens

Athens uses github.com/gobuffalo/uuid for the generation of UUID's.
The generated uuid's are used for example, when saving a module in storage[1]

github.com/gobuffalo/uuid which is a fork of https://github.com/satori/go.uuid is vulnerable to a bug where it can generate Non-Random UUID's with collissions.
I'm guessing we wouldn't want to, for example try to store different modules using the same uuid[2]

There's already a tracking issue in github.com/gobuffalo/uuid[3] and a parent one in github.com/satori/go.uuid [4]

The buggy code in github.com/gobuffalo/uuid seems to be[5]
The fix would be[6]

I have opened this issue as a tracking issue of the upstream bug in https://github.com/gobuffalo/uuid

ref:

  1. https://github.com/gomods/athens/blob/master/pkg/cdn/metadata/mongo/saver.go
  2. https://github.com/gomods/athens/blob/43cb601718b72a79c9d94bd9a15178bd8ac4496f/pkg/cdn/metadata/mongo/saver.go#L12-L18
  3. https://github.com/gobuffalo/uuid/issues/1
  4. https://github.com/satori/go.uuid/issues/73
  5. https://github.com/gobuffalo/uuid/blob/3a9fb6c5c481d4886f1e9323c61ad743fb955860/generator.go#L167-L171
  6. https://github.com/satori/go.uuid/issues/73#issuecomment-378573107
picture komuw
👍4

Most helpful comment

sent PR to buffalo; https://github.com/gobuffalo/uuid/pull/2

picture komuw on 3 Aug 2018
👍3

All 3 comments

sent PR to buffalo; https://github.com/gobuffalo/uuid/pull/2

komuw picture komuw on 3 Aug 2018
👍3

@komuw thanks! Is there anything you think we should do right now in our repo?

Also, depending on how this discussion goes, we might be removing the RDBMS drivers, which would remove a lot of our UUID usage, fyi.

arschles picture arschles on 4 Aug 2018

@arschles hi.

I do not know if there's something we can do right now, short of moving to another uuid package that doesn't have this bug.
I think we can track https://github.com/gobuffalo/uuid/pull/2 for the next few days and see how it goes; I think @markbates is the lead dev on that project and he's also(I think) the lead organiser of GopherconUK which was this week so he may not have had time to look at the PR. I'll give him a few days, then I'll ping him on the PR

I'll also track https://github.com/gomods/athens/issues/383 since from that we may not need uuid's. Although I think gobuffalo itself also uses /github.com/gobuffalo/uuid so it would be ideal if the package got patched.

track: https://github.com/gomods/athens/issues/383

komuw picture komuw on 5 Aug 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

arschles picture arschles  路  4Comments
arschles picture arschles  路  3Comments
fedepaol picture fedepaol  路  4Comments
leitzler picture leitzler  路  3Comments
sidprak picture sidprak  路  3Comments