Description

Hi team,

I hope you are well. I found a dependency confusion vulnerability in this repo.

When I analyzed your repo, I found a Makefile which install a dependency : https://github.com/bits-and-blooms/bloom/blob/25ba46ef8744ddeba999dcd048dbb8b0fa87edb3/Makefile#L188

go get github.com/GoASTScanner/gas

I tested then this url and it was redirecting to https://github.com/securego/gosec. So, I tested if I can takeover the old username to cause a dependency confusion vulnerability. And this username was available to take and I take it for the PoC. But to not impact any users, I did the following step.

Proof of Concept

1.) I forked https://github.com/securego/gosec

2.) I changed the repo name from gosec to gas

3.) I changed my username from akincibor to GoASTScanner

4.) I re-changed my username from GoASTScanner to `akincibor

Now github.com/GoASTScanner/gas is redirecting to my repo github.com/akincibor/gas.

Everyone can make this url redirection to their own repo. They can also create a new Github account and take the old username without re-changing it.