Merge pull request #30 from auth0-samples/add-security-warning-notice

jimmyjames · web-flow · commit 21d9d59ead7f · 2021-01-08T14:05:59.000-06:00
Add notice to Go API Sample for 3rd Party Vulnerability
diff --git a/01-Authorization-RS256/README.md b/01-Authorization-RS256/README.md
@@ -1,5 +1,7 @@
 # Golang Authorization for RS256-Signed Tokens
 
+> :warning:  **Important security note:** This solution uses a 3rd party library with an unresolved [security issue](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-26160). Please review the details of the vulnerability, including any of the documented mitigations, before implementing the solution.
+
 This sample demonstrates how to protect endpoints in a Go API by verifying an incoming JWT access token signed by Auth0. The token must be signed with the RS256 algorithm and must be verified against your Auth0 JSON Web Key Set.
 
 ## Getting Started
diff --git a/README.md b/README.md
@@ -1,5 +1,7 @@
 # Auth0 Golang API Samples
 
+> :warning:  **Important security note:** This solution uses a 3rd party library with an unresolved [security issue](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-26160). Please review the details of the vulnerability, including any of the documented mitigations, before implementing the solution.
+
 [![CircleCI](https://img.shields.io/circleci/project/github/auth0-samples/auth0-golang-api-samples.svg?style=flat-square)](https://circleci.com/gh/auth0-samples/auth0-golang-api-samples/tree/master)
 
 These samples demonstrate how to create an API with Go which only permits access to resources if a valid **access token** is included. This verification is done by validating the signature and claims in a JSON Web Token (JWT) signed by Auth0.
