Hello,
My name is Dominik Blain, Co-Founder at QreativeLab. I conduct formal verification analysis of open-source software.
I identified two defects in StatCan open-source repositories affecting the Advanced Analytics Workspace (AAW). I am disclosing under a 90-day responsible disclosure window.
Finding SC-001 — MEDIUM
Repo: StatCan/cidr-allocator
File: internal/networking/networking.go:56
CWE: CWE-191 — Integer Underflow
func NumUsableHostsForMask(ones uint8) (uint32, error) {
total, err := NumHostsForMask(ones) // returns uint32(2^(32-ones))
if err != nil {
return 0, err
}
return total - 2, nil // uint32 underflow when ones=32 (total=1)
}When ones = 32, NumHostsForMask returns total = 1. The expression total - 2 underflows in unsigned arithmetic to 4,294,967,295. The downstream CIDR calculation produces an incorrect subnet size, leading to overlapping pod CIDRs across Kubernetes nodes and potential pod-to-pod routing failures.
Second path in nodecidrallocation_controller.go:228-229: int64 cast to uint32 without bounds check on maxPods.
Fix:
if total < 2 {
return 0, fmt.Errorf("mask /%d has insufficient hosts for usable allocation", ones)
}
return total - 2, nil
Finding SC-002 — HIGH
Repo: StatCan/zone-oidc-authservice (issues disabled — reporting here)
File: server.go:383-384
CWE: CWE-476 — NULL Pointer Dereference
newTokens, _, err := oidc.TokenSource(ctx, s.oauth2Config, oauth2Tokens)
userInfo, err := oidc.GetUserInfo(ctx, s.provider, newTokens) // err overwritten, newTokens may be nil
TokenSource can return nil on OAuth2 provider failure. That error is silently overwritten. GetUserInfo calls newTokens.SetAuthHeader(req) on a nil pointer → Go panic → AuthService pod crash → all AAW users logged out.
Fix: Check err from TokenSource before calling GetUserInfo and return early.
Timeline
- 2026-04-02 — Initial disclosure
- 2026-07-01 — 90-day window expires
Dominik Blain
Co-Founder, QreativeLab
dominik@qreativelab.io
Hello,
My name is Dominik Blain, Co-Founder at QreativeLab. I conduct formal verification analysis of open-source software.
I identified two defects in StatCan open-source repositories affecting the Advanced Analytics Workspace (AAW). I am disclosing under a 90-day responsible disclosure window.
Finding SC-001 — MEDIUM
Repo:
StatCan/cidr-allocatorFile:
internal/networking/networking.go:56CWE: CWE-191 — Integer Underflow
When
ones = 32,NumHostsForMaskreturnstotal = 1. The expressiontotal - 2underflows in unsigned arithmetic to4,294,967,295. The downstream CIDR calculation produces an incorrect subnet size, leading to overlapping pod CIDRs across Kubernetes nodes and potential pod-to-pod routing failures.Second path in
nodecidrallocation_controller.go:228-229:int64cast touint32without bounds check onmaxPods.Fix:
Finding SC-002 — HIGH
Repo:
StatCan/zone-oidc-authservice(issues disabled — reporting here)File:
server.go:383-384CWE: CWE-476 — NULL Pointer Dereference
TokenSourcecan returnnilon OAuth2 provider failure. That error is silently overwritten.GetUserInfocallsnewTokens.SetAuthHeader(req)on a nil pointer → Go panic → AuthService pod crash → all AAW users logged out.Fix: Check
errfromTokenSourcebefore callingGetUserInfoand return early.Timeline
Dominik Blain
Co-Founder, QreativeLab
dominik@qreativelab.io