Solved: golang PSIRT example body empty

vm.ms-secur1 · ‎11-14-2018

GOLAN PSIRT client API return empty body but with a 200 OK; Postman return 200 OK with a body content

swagger. represent the prefix package name of PSIRT api client.

ref: https://github.com/CiscoPSIRT/openVulnAPI/tree/master/example_code/go_examples

ciscoConf := swagger.NewConfiguration()
ciscoConf.AddDefaultHeader("Authorization", "Bearer iOCKYbks9oCy704OYE3PARio3F5s")
ciscoApi := swagger.NewAPIClient(ciscoConf)
ctx := context.Background()
apiQ, _ := ciscoApi.DefaultApi.SecurityAdvisoriesAdvisoryAdvisoryIdGet(ctx, "cisco-sa-20181003-asa-dma-dos")
//swagger.DefaultApiService().SecurityAdvisoriesAdvisoryAdvisoryIdGet(ctx, "cisco-sa-20181003-asa-dma-dos")
println(apiQ.ContentLength)
apiQContent, _ := ioutil.ReadAll(apiQ.Body)
println(string(apiQContent))
apirR :=swagger.NewAPIResponse(apiQ)
println (apirR.ContentLength)
println("end")

standard output (content length = -1; empty):
-1

-1
end

lucabrasi · ‎11-15-2018

Hi,

I've tested your code and I think main issue is in default_api.go here: https://github.com/CiscoPSIRT/openVulnAPI/blob/master/example_code/go_examples/default_api.go#L79

The method is closing the body at the end of the call which doesn't give you a chance to process it.

I've commented out the line in default_api.go and changed your code as below and able to get the output:

apiQContent, err := ioutil.ReadAll(apiQ.Body)
	if err != nil {
		log.Println("Error while processing response body", err)
	}
	defer apiQ.Body.Close()
	println(string(apiQContent))

{"advisories":[{"advisoryId":"cisco-sa-20181003-asa-dma-dos","advisoryTitle":"Cisco Adaptive Security Appliance Direct Memory Access Denial of Service Vulnerability","bugIDs":["CSCvj89470"],"ipsSignatures":["NA"],"cves":["CVE-2018-15383"],"cvrfUrl":"https://tools.cisco.com/security/center/contentxml/CiscoSecurityAdvisory/cisco-sa-20181003-asa-dma-dos/cvrf/cisco-sa-20181003-asa-dma-dos_cvrf.xml","ovalUrl":["NA"],"cvssBaseScore":"8.6","cwe":["CWE-400"],"firstPublished":"2018-10-03T16:00:00-0500","lastUpdated":"2018-10-29T14:02:30-0500","productNames":["Cisco Adaptive Security Appliance (ASA) Software ","Cisco Firepower Threat Defense Software "],"publicationUrl":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-asa-dma-dos","sir":"High","summary":"<p>A vulnerability in the cryptographic hardware accelerator driver of Cisco&nbsp;Adaptive Security Appliance (ASA) Software and Cisco&nbsp;Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a temporary denial of service&nbsp;(DoS) condition.</p>\n<p>The vulnerability exists because the affected devices have a limited amount of Direct Memory Access&nbsp;(DMA) memory and the affected software improperly handles resources in low-memory conditions. An attacker could exploit this vulnerability by sending a sustained, high rate of malicious traffic to an affected device to exhaust memory on the device. A successful exploit could allow the attacker to exhaust DMA memory on the affected device, which could cause the device to reload and result in a temporary DoS condition.</p>\n<p>Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p>\n<p>This advisory is available at the following link:<br />\n<a href=\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-asa-dma-dos\">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-asa-dma-dos</a></p>"}]}

Also note Content-Length with value -1 doesn't mean the response is empty. It just means the content length is unknown https://golang.org/src/net/http/response.go

Most likely because the Go HTTP library uses chunked encoding by default.

Personally, I prefer to use the native http client in Go and build my own structs to encode/decode JSON rather than any abstract client, but that's a just a personal taste :-)

View solution in original post

lucabrasi · ‎11-15-2018

Hi,

I've tested your code and I think main issue is in default_api.go here: https://github.com/CiscoPSIRT/openVulnAPI/blob/master/example_code/go_examples/default_api.go#L79

The method is closing the body at the end of the call which doesn't give you a chance to process it.

I've commented out the line in default_api.go and changed your code as below and able to get the output:

apiQContent, err := ioutil.ReadAll(apiQ.Body)
	if err != nil {
		log.Println("Error while processing response body", err)
	}
	defer apiQ.Body.Close()
	println(string(apiQContent))

{"advisories":[{"advisoryId":"cisco-sa-20181003-asa-dma-dos","advisoryTitle":"Cisco Adaptive Security Appliance Direct Memory Access Denial of Service Vulnerability","bugIDs":["CSCvj89470"],"ipsSignatures":["NA"],"cves":["CVE-2018-15383"],"cvrfUrl":"https://tools.cisco.com/security/center/contentxml/CiscoSecurityAdvisory/cisco-sa-20181003-asa-dma-dos/cvrf/cisco-sa-20181003-asa-dma-dos_cvrf.xml","ovalUrl":["NA"],"cvssBaseScore":"8.6","cwe":["CWE-400"],"firstPublished":"2018-10-03T16:00:00-0500","lastUpdated":"2018-10-29T14:02:30-0500","productNames":["Cisco Adaptive Security Appliance (ASA) Software ","Cisco Firepower Threat Defense Software "],"publicationUrl":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-asa-dma-dos","sir":"High","summary":"<p>A vulnerability in the cryptographic hardware accelerator driver of Cisco&nbsp;Adaptive Security Appliance (ASA) Software and Cisco&nbsp;Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a temporary denial of service&nbsp;(DoS) condition.</p>\n<p>The vulnerability exists because the affected devices have a limited amount of Direct Memory Access&nbsp;(DMA) memory and the affected software improperly handles resources in low-memory conditions. An attacker could exploit this vulnerability by sending a sustained, high rate of malicious traffic to an affected device to exhaust memory on the device. A successful exploit could allow the attacker to exhaust DMA memory on the affected device, which could cause the device to reload and result in a temporary DoS condition.</p>\n<p>Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p>\n<p>This advisory is available at the following link:<br />\n<a href=\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-asa-dma-dos\">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181003-asa-dma-dos</a></p>"}]}

Also note Content-Length with value -1 doesn't mean the response is empty. It just means the content length is unknown https://golang.org/src/net/http/response.go

Most likely because the Go HTTP library uses chunked encoding by default.

Personally, I prefer to use the native http client in Go and build my own structs to encode/decode JSON rather than any abstract client, but that's a just a personal taste :-)

vm.ms-secur1 · ‎11-15-2018

Your answer is very helpful

I'll wait for others to provide answer with this added comment:

The api I am using is developed by Cisco, in its doc it refer as the body returning nothing (I wonder if the returned json is injected somewhere inside the swagger client buffer just before closing the Response body)

api doc refer as the body returning nothing:

https://github.com/CiscoPSIRT/openVulnAPI/blob/13c48e22a5c19e3b08118747a11203677a4ca6b2/example_code/go_examples/docs/DefaultApi.md

I'll dig more about chunked encoding and also looking at the Object swagger.NewAPIResponse

Thanks!

vm.ms-secur1 · ‎11-15-2018

I was expecting to don't have to map the json to a golang struct, using only swagger.NewAPIResponse(), but it need to be developed for golang, Python example has the mapping coded already (https://github.com/CiscoPSIRT/openVulnAPI/blob/2803abf80bcabd77a4358c7a231b45aa4ea15201/openVulnQuery/openVulnQuery/_library/advisory.py)

thanks