Idea to solve CVE-2022-31022

[RJKeevil]

Hi, I agree with the Bleve team that this CVE is pretty unfair given it only relates to demo code!

Our reality is that even with the disclaimer, any project using bleve will get tagged with an unmitigated medium vulnerability, and many clients with secure environments will flat out block deployments with known vulnerabilites. So it's still causing pain (for me at least 😄 ).

I thought perhaps a clean solution could be to make the http directory a separate repository, that could be anonymously imported alongside bleve to enable the demo webserver. The CVE should then move to that repo instead. It can be named in a way that makes it very clear it is demo-only functionality. Then people that wish to use the web server can opt in for it, and the CVE.

I'm happy to do the work and supply a PR if you at all think this is at all a sensible idea!

[abhinavdangeti]

@RJKeevil ya good idea I think.

[RJKeevil]

Great, @abhinavdangeti reckon I can just move the http folder to the bleve-explorer project? Its the only place i can see it being used. Otherwise might need from help from you in creating a new bleve repo for just the http code.

[abhinavdangeti]

Yes, here we go ..

• Relocate bleve/v2/http to within bleve-explorer bleve-explorer#24
• Remove http/ from bleve for CVE-2022-31022 #2156