WriteHeader(clientResp.StatusCode) _, _ = io.Copy(wr, clientResp.Body) } PoC The following PoC demonstrates the issue. To reproduce, run the following PoC with go run main.go. We include the expected stacktrace below Do(req) fmt.Println("Copying...") if _, err := io.Copy(io.Discard, resp.Body); err != nil { } } PoC - expected stacktrace fatal error: runtime: out of memory runtime stack: runtime.throw({0x55962e user who can send a pubsub message to the Pulsar component to crash the Dapr sidecar. The following PoC demonstrates the issue. Add the unit test to components-contrib/pubsub/pulsar/pulsar_test.go and run

findings will be discussed in a chronological order alongside technical descriptions, as well as PoC and mitigation advice when applicable. Since most issues are reflective of a custom configuration redis instances, which will enable the attacker to establish a session to the master-0 redis pod. PoC Attacker has gained shell access to the Python application pod. • Using wget, the attacker downloads all secrets and assets for the entire cluster, which would in turn lead to a complete compromise. PoC /tmp # uname -a Linux pythonapp-b57b5897c-gfwj4 4.15.0-1082-azure #92~16.04.1-Ubuntu SMP /tmp # ./kubectl

that the HTTP Parameter Pollution is still possible, as demonstrated via the Proof-of-Concept (PoC) below. PoC: /tmp # ./curl -d "{"data":{"orderId":"1"}}" -i -H 'dapr-api-token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9 } func isActionAllowed(action string) bool { return strings.EqualFold(action, AllowAccess) } PoC: The following HTTP requests demonstrate that accessing the /neworder API of nodeapp is prohibited

panic in the Go standard library, when the key gets serialized. This is illustrated with the below PoC: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 package panic(err) } } Figure 2.1: Proof of concept payload to trigger issue ADA-DAP-FUZZ-2 Running this PoC will result in the following panic: panic: runtime error: index out of range [-1] goroutine 1 [running]: