Remove dependency on deprecated request package

[mnoah1]

What version of Go, VS Code & VS Code Go extension are you using?

Current version on master

Share the Go related settings you have added/edited

N/A

Describe the bug

The extension has a dependency on web-request, which has not been updated in 7 years, and depends on the request package which was deprecated 4 years ago.

Request depends on an outdated version of the tough-cookie package which flags the following vulnerability: Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.. Since request is deprecated, this creates challenges in upgrading this.

Steps to reproduce the behavior:

Ran a security report on the extension using FOSSA

Screenshots or recordings

https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873

[hyangah]

Can you help us understand how this vulnerability is actually affecting this extension? That will help us triage & prioritize this issue.

[mnoah1]

Here are the attack types listed on the page above, based on how the library is currently being used in the extension none of these seem particularly likely.

Type	Origin	Short description
Denial of service (DoS)	Client	This is the most likely attack.DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
Remote Code Execution	Client	Remote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
Property Injection	Client	The attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.

However wanted to document this as it shows up on a security scan and using a newer library that can be kept updated would help minimize noise for these types of issues.

[hyangah]

Thanks for investigating the risk.

[gopherbot]

Change https://go.dev/cl/551115 mentions this issue: package.json: replace deprecated web-request with node-fetch@v2