Findings

High

CVSS v3

None

Description

Scanner: Semgrep
The `unsafe` package in Go allows low-level access to memory management features.
This includes pointers and direct access to memory. The Go compiler will no longer
be able to enforce type safety when working with the `unsafe` pointer types.

While powerful, access to these functions can lead to many security related issues
 such as:

- [Buffer overflows](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow) which
can lead to code execution.
- [Use after free](https://owasp.org/www-community/vulnerabilities/Using_freed_memory) which
can lead to code execution.
- [Information/Memory leaks](https://owasp.org/www-community/vulnerabilities/Memory_leak)
which can leak sensitive information, including data which can
defeat other protection mechanisms or cause the system to run out of memory.

Unless required, all calls to the `unsafe` package should be removed.

Mitigation

Impact

None

References

Identifier type: semgrep_id
Name: gosec.G103-1
Value: gosec.G103-1

Identifier type: owasp
Name: A06:2021 - Vulnerable and Outdated Components
Value: A06:2021

Identifier type: owasp
Name: A9:2017 - Using Components with Known Vulnerabilities
Value: A9:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G103
Value: G103

CVSS v3

None

Description

Scanner: Semgrep
The `unsafe` package in Go allows low-level access to memory management features.
This includes pointers and direct access to memory. The Go compiler will no longer
be able to enforce type safety when working with the `unsafe` pointer types.

While powerful, access to these functions can lead to many security related issues
 such as:

- [Buffer overflows](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow) which
can lead to code execution.
- [Use after free](https://owasp.org/www-community/vulnerabilities/Using_freed_memory) which
can lead to code execution.
- [Information/Memory leaks](https://owasp.org/www-community/vulnerabilities/Memory_leak)
which can leak sensitive information, including data which can
defeat other protection mechanisms or cause the system to run out of memory.

Unless required, all calls to the `unsafe` package should be removed.

Mitigation

Impact

None

References

Identifier type: semgrep_id
Name: gosec.G103-1
Value: gosec.G103-1

Identifier type: owasp
Name: A06:2021 - Vulnerable and Outdated Components
Value: A06:2021

Identifier type: owasp
Name: A9:2017 - Using Components with Known Vulnerabilities
Value: A9:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G103
Value: G103

CVSS v3

None

Description

Scanner: Semgrep
The `unsafe` package in Go allows low-level access to memory management features.
This includes pointers and direct access to memory. The Go compiler will no longer
be able to enforce type safety when working with the `unsafe` pointer types.

While powerful, access to these functions can lead to many security related issues
 such as:

- [Buffer overflows](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow) which
can lead to code execution.
- [Use after free](https://owasp.org/www-community/vulnerabilities/Using_freed_memory) which
can lead to code execution.
- [Information/Memory leaks](https://owasp.org/www-community/vulnerabilities/Memory_leak)
which can leak sensitive information, including data which can
defeat other protection mechanisms or cause the system to run out of memory.

Unless required, all calls to the `unsafe` package should be removed.

Mitigation

Impact

None

References

Identifier type: semgrep_id
Name: gosec.G103-1
Value: gosec.G103-1

Identifier type: owasp
Name: A06:2021 - Vulnerable and Outdated Components
Value: A06:2021

Identifier type: owasp
Name: A9:2017 - Using Components with Known Vulnerabilities
Value: A9:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G103
Value: G103

CVSS v3

None

Description

Scanner: Semgrep
The `unsafe` package in Go allows low-level access to memory management features.
This includes pointers and direct access to memory. The Go compiler will no longer
be able to enforce type safety when working with the `unsafe` pointer types.

While powerful, access to these functions can lead to many security related issues
 such as:

- [Buffer overflows](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow) which
can lead to code execution.
- [Use after free](https://owasp.org/www-community/vulnerabilities/Using_freed_memory) which
can lead to code execution.
- [Information/Memory leaks](https://owasp.org/www-community/vulnerabilities/Memory_leak)
which can leak sensitive information, including data which can
defeat other protection mechanisms or cause the system to run out of memory.

Unless required, all calls to the `unsafe` package should be removed.

Mitigation

Impact

None

References

Identifier type: semgrep_id
Name: gosec.G103-1
Value: gosec.G103-1

Identifier type: owasp
Name: A06:2021 - Vulnerable and Outdated Components
Value: A06:2021

Identifier type: owasp
Name: A9:2017 - Using Components with Known Vulnerabilities
Value: A9:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G103
Value: G103

CVSS v3

None

Description

Scanner: Semgrep
The `unsafe` package in Go allows low-level access to memory management features.
This includes pointers and direct access to memory. The Go compiler will no longer
be able to enforce type safety when working with the `unsafe` pointer types.

While powerful, access to these functions can lead to many security related issues
 such as:

- [Buffer overflows](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow) which
can lead to code execution.
- [Use after free](https://owasp.org/www-community/vulnerabilities/Using_freed_memory) which
can lead to code execution.
- [Information/Memory leaks](https://owasp.org/www-community/vulnerabilities/Memory_leak)
which can leak sensitive information, including data which can
defeat other protection mechanisms or cause the system to run out of memory.

Unless required, all calls to the `unsafe` package should be removed.

Mitigation

Impact

None

References

Identifier type: semgrep_id
Name: gosec.G103-1
Value: gosec.G103-1

Identifier type: owasp
Name: A06:2021 - Vulnerable and Outdated Components
Value: A06:2021

Identifier type: owasp
Name: A9:2017 - Using Components with Known Vulnerabilities
Value: A9:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G103
Value: G103

CVSS v3

None

Description

Scanner: Semgrep
The `unsafe` package in Go allows low-level access to memory management features.
This includes pointers and direct access to memory. The Go compiler will no longer
be able to enforce type safety when working with the `unsafe` pointer types.

While powerful, access to these functions can lead to many security related issues
 such as:

- [Buffer overflows](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow) which
can lead to code execution.
- [Use after free](https://owasp.org/www-community/vulnerabilities/Using_freed_memory) which
can lead to code execution.
- [Information/Memory leaks](https://owasp.org/www-community/vulnerabilities/Memory_leak)
which can leak sensitive information, including data which can
defeat other protection mechanisms or cause the system to run out of memory.

Unless required, all calls to the `unsafe` package should be removed.

Mitigation

Impact

None

References

Identifier type: semgrep_id
Name: gosec.G103-1
Value: gosec.G103-1

Identifier type: owasp
Name: A06:2021 - Vulnerable and Outdated Components
Value: A06:2021

Identifier type: owasp
Name: A9:2017 - Using Components with Known Vulnerabilities
Value: A9:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G103
Value: G103

CVSS v3

None

Description

Scanner: Semgrep
The `unsafe` package in Go allows low-level access to memory management features.
This includes pointers and direct access to memory. The Go compiler will no longer
be able to enforce type safety when working with the `unsafe` pointer types.

While powerful, access to these functions can lead to many security related issues
 such as:

- [Buffer overflows](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow) which
can lead to code execution.
- [Use after free](https://owasp.org/www-community/vulnerabilities/Using_freed_memory) which
can lead to code execution.
- [Information/Memory leaks](https://owasp.org/www-community/vulnerabilities/Memory_leak)
which can leak sensitive information, including data which can
defeat other protection mechanisms or cause the system to run out of memory.

Unless required, all calls to the `unsafe` package should be removed.

Mitigation

Impact

None

References

Identifier type: semgrep_id
Name: gosec.G103-1
Value: gosec.G103-1

Identifier type: owasp
Name: A06:2021 - Vulnerable and Outdated Components
Value: A06:2021

Identifier type: owasp
Name: A9:2017 - Using Components with Known Vulnerabilities
Value: A9:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G103
Value: G103

CVSS v3

None

Description

Scanner: Semgrep
The `unsafe` package in Go allows low-level access to memory management features.
This includes pointers and direct access to memory. The Go compiler will no longer
be able to enforce type safety when working with the `unsafe` pointer types.

While powerful, access to these functions can lead to many security related issues
 such as:

- [Buffer overflows](https://owasp.org/www-community/vulnerabilities/Buffer_Overflow) which
can lead to code execution.
- [Use after free](https://owasp.org/www-community/vulnerabilities/Using_freed_memory) which
can lead to code execution.
- [Information/Memory leaks](https://owasp.org/www-community/vulnerabilities/Memory_leak)
which can leak sensitive information, including data which can
defeat other protection mechanisms or cause the system to run out of memory.

Unless required, all calls to the `unsafe` package should be removed.

Mitigation

Impact

None

References

Identifier type: semgrep_id
Name: gosec.G103-1
Value: gosec.G103-1

Identifier type: owasp
Name: A06:2021 - Vulnerable and Outdated Components
Value: A06:2021

Identifier type: owasp
Name: A9:2017 - Using Components with Known Vulnerabilities
Value: A9:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G103
Value: G103

CVSS v3

None

Description

Scanner: Semgrep
SQL Injection is a critical vulnerability that can lead to data or system compromise. By
dynamically generating SQL query strings, user input may be able to influence the logic of
the SQL statement. This could lead to an adversary accessing information they should
not have access to or in some circumstances, being able to execute OS functionality or code.

Replace all dynamically generated SQL queries with parameterized queries. In situations where
dynamic queries must be created, never use direct user input, but instead use a map or
dictionary of valid values and resolve them using a user supplied key.

For example, some database drivers do not allow parameterized queries for `>` or `<` comparison
operators. In these cases, do not use a user supplied `>` or `<` value, but rather have the
user
supply a `gt` or `lt` value. The alphabetical values are then used to look up the `>` and `<`
values to be used in the construction of the dynamic query. The same goes for other queries
where
column or table names are required but cannot be parameterized.

Example using parameterized queries with `sql.Query`:
```
rows, err := db.Query("SELECT * FROM users WHERE userName = ?", userName)
if err != nil {
    return nil, err
}
defer rows.Close()
for rows.Next() {
  // ... process rows
}
```

For more information on SQL Injection see OWASP:
https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

Mitigation

Impact

None

References

Identifier type: semgrep_id
Name: gosec.G202-1
Value: gosec.G202-1

Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021

Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G201
Value: G201

Identifier type: gosec_rule_id
Name: Gosec Rule ID G202
Value: G202

CVSS v3

None

Description

Scanner: Semgrep
OS command injection is a critical vulnerability that can lead to a full system
compromise as it may allow an adversary to pass in arbitrary commands or arguments
to be executed.

User input should never be used in constructing commands or command arguments
to functions which execute OS commands. This includes filenames supplied by
user uploads or downloads.

Ensure your application does not:

- Use user-supplied information in the process name to execute.
- Use user-supplied information in an OS command execution function which does
not escape shell meta-characters.
- Use user-supplied information in arguments to OS commands.

The application should have a hardcoded set of arguments that are to be passed
to OS commands. If filenames are being passed to these functions, it is
recommended that a hash of the filename be used instead, or some other unique
identifier. It is strongly recommended that a native library that implements
the same functionality be used instead of using OS system commands, due to the
risk of unknown attacks against third party commands.

If operating in Windows environments, when specifying the OS command, ensure
the application uses the full path
information, otherwise the OS may attempt to look up which process to execute
and could be vulnerable to untrusted search path vulnerabilities (CWE-426).

Example of safely executing an OS command:
```
userData := []byte("user data")
// create a temporary file in the application specific directory
f, err := ioutil.TempFile("/var/app/restricted", "temp-*.dat")
if err != nil {
  log.Fatal(err)
}

if _, err := f.Write(userData); err != nil {
  log.Fatal(err)
}

if err := f.Close(); err != nil {
  log.Fatal(err)
}

// pass the full path to the binary and the name of the temporary file
// instead of any user supplied filename
out, err := exec.Command("/bin/cat", f.Name()).Output()
if err != nil {
  log.Fatal(err)
}
```

For more information on OS command injection, see OWASP's guide:
https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html

Mitigation

Impact

None

References

Identifier type: semgrep_id
Name: gosec.G204-1
Value: gosec.G204-1

Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021

Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G204
Value: G204

CVSS v3

None

Description

Scanner: Semgrep
OS command injection is a critical vulnerability that can lead to a full system
compromise as it may allow an adversary to pass in arbitrary commands or arguments
to be executed.

User input should never be used in constructing commands or command arguments
to functions which execute OS commands. This includes filenames supplied by
user uploads or downloads.

Ensure your application does not:

- Use user-supplied information in the process name to execute.
- Use user-supplied information in an OS command execution function which does
not escape shell meta-characters.
- Use user-supplied information in arguments to OS commands.

The application should have a hardcoded set of arguments that are to be passed
to OS commands. If filenames are being passed to these functions, it is
recommended that a hash of the filename be used instead, or some other unique
identifier. It is strongly recommended that a native library that implements
the same functionality be used instead of using OS system commands, due to the
risk of unknown attacks against third party commands.

If operating in Windows environments, when specifying the OS command, ensure
the application uses the full path
information, otherwise the OS may attempt to look up which process to execute
and could be vulnerable to untrusted search path vulnerabilities (CWE-426).

Example of safely executing an OS command:
```
userData := []byte("user data")
// create a temporary file in the application specific directory
f, err := ioutil.TempFile("/var/app/restricted", "temp-*.dat")
if err != nil {
  log.Fatal(err)
}

if _, err := f.Write(userData); err != nil {
  log.Fatal(err)
}

if err := f.Close(); err != nil {
  log.Fatal(err)
}

// pass the full path to the binary and the name of the temporary file
// instead of any user supplied filename
out, err := exec.Command("/bin/cat", f.Name()).Output()
if err != nil {
  log.Fatal(err)
}
```

For more information on OS command injection, see OWASP's guide:
https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html

Mitigation

Impact

None

References

Identifier type: semgrep_id
Name: gosec.G204-1
Value: gosec.G204-1

Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021

Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G204
Value: G204

CVSS v3

None

Description

Scanner: Semgrep
OS command injection is a critical vulnerability that can lead to a full system
compromise as it may allow an adversary to pass in arbitrary commands or arguments
to be executed.

User input should never be used in constructing commands or command arguments
to functions which execute OS commands. This includes filenames supplied by
user uploads or downloads.

Ensure your application does not:

- Use user-supplied information in the process name to execute.
- Use user-supplied information in an OS command execution function which does
not escape shell meta-characters.
- Use user-supplied information in arguments to OS commands.

The application should have a hardcoded set of arguments that are to be passed
to OS commands. If filenames are being passed to these functions, it is
recommended that a hash of the filename be used instead, or some other unique
identifier. It is strongly recommended that a native library that implements
the same functionality be used instead of using OS system commands, due to the
risk of unknown attacks against third party commands.

If operating in Windows environments, when specifying the OS command, ensure
the application uses the full path
information, otherwise the OS may attempt to look up which process to execute
and could be vulnerable to untrusted search path vulnerabilities (CWE-426).

Example of safely executing an OS command:
```
userData := []byte("user data")
// create a temporary file in the application specific directory
f, err := ioutil.TempFile("/var/app/restricted", "temp-*.dat")
if err != nil {
  log.Fatal(err)
}

if _, err := f.Write(userData); err != nil {
  log.Fatal(err)
}

if err := f.Close(); err != nil {
  log.Fatal(err)
}

// pass the full path to the binary and the name of the temporary file
// instead of any user supplied filename
out, err := exec.Command("/bin/cat", f.Name()).Output()
if err != nil {
  log.Fatal(err)
}
```

For more information on OS command injection, see OWASP's guide:
https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html

Mitigation

Impact

None

References

Identifier type: semgrep_id
Name: gosec.G204-1
Value: gosec.G204-1

Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021

Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G204
Value: G204

CVSS v3

None

Description

Scanner: Semgrep
OS command injection is a critical vulnerability that can lead to a full system
compromise as it may allow an adversary to pass in arbitrary commands or arguments
to be executed.

User input should never be used in constructing commands or command arguments
to functions which execute OS commands. This includes filenames supplied by
user uploads or downloads.

Ensure your application does not:

- Use user-supplied information in the process name to execute.
- Use user-supplied information in an OS command execution function which does
not escape shell meta-characters.
- Use user-supplied information in arguments to OS commands.

The application should have a hardcoded set of arguments that are to be passed
to OS commands. If filenames are being passed to these functions, it is
recommended that a hash of the filename be used instead, or some other unique
identifier. It is strongly recommended that a native library that implements
the same functionality be used instead of using OS system commands, due to the
risk of unknown attacks against third party commands.

If operating in Windows environments, when specifying the OS command, ensure
the application uses the full path
information, otherwise the OS may attempt to look up which process to execute
and could be vulnerable to untrusted search path vulnerabilities (CWE-426).

Example of safely executing an OS command:
```
userData := []byte("user data")
// create a temporary file in the application specific directory
f, err := ioutil.TempFile("/var/app/restricted", "temp-*.dat")
if err != nil {
  log.Fatal(err)
}

if _, err := f.Write(userData); err != nil {
  log.Fatal(err)
}

if err := f.Close(); err != nil {
  log.Fatal(err)
}

// pass the full path to the binary and the name of the temporary file
// instead of any user supplied filename
out, err := exec.Command("/bin/cat", f.Name()).Output()
if err != nil {
  log.Fatal(err)
}
```

For more information on OS command injection, see OWASP's guide:
https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html

Mitigation

Impact

None

References

Identifier type: semgrep_id
Name: gosec.G204-1
Value: gosec.G204-1

Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021

Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G204
Value: G204

CVSS v3

None

Description

Scanner: Semgrep
OS command injection is a critical vulnerability that can lead to a full system
compromise as it may allow an adversary to pass in arbitrary commands or arguments
to be executed.

User input should never be used in constructing commands or command arguments
to functions which execute OS commands. This includes filenames supplied by
user uploads or downloads.

Ensure your application does not:

- Use user-supplied information in the process name to execute.
- Use user-supplied information in an OS command execution function which does
not escape shell meta-characters.
- Use user-supplied information in arguments to OS commands.

The application should have a hardcoded set of arguments that are to be passed
to OS commands. If filenames are being passed to these functions, it is
recommended that a hash of the filename be used instead, or some other unique
identifier. It is strongly recommended that a native library that implements
the same functionality be used instead of using OS system commands, due to the
risk of unknown attacks against third party commands.

If operating in Windows environments, when specifying the OS command, ensure
the application uses the full path
information, otherwise the OS may attempt to look up which process to execute
and could be vulnerable to untrusted search path vulnerabilities (CWE-426).

Example of safely executing an OS command:
```
userData := []byte("user data")
// create a temporary file in the application specific directory
f, err := ioutil.TempFile("/var/app/restricted", "temp-*.dat")
if err != nil {
  log.Fatal(err)
}

if _, err := f.Write(userData); err != nil {
  log.Fatal(err)
}

if err := f.Close(); err != nil {
  log.Fatal(err)
}

// pass the full path to the binary and the name of the temporary file
// instead of any user supplied filename
out, err := exec.Command("/bin/cat", f.Name()).Output()
if err != nil {
  log.Fatal(err)
}
```

For more information on OS command injection, see OWASP's guide:
https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html

Mitigation

Impact

None

References

Identifier type: semgrep_id
Name: gosec.G204-1
Value: gosec.G204-1

Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021

Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G204
Value: G204

CVSS v3

None

Description

Scanner: Semgrep
OS command injection is a critical vulnerability that can lead to a full system
compromise as it may allow an adversary to pass in arbitrary commands or arguments
to be executed.

User input should never be used in constructing commands or command arguments
to functions which execute OS commands. This includes filenames supplied by
user uploads or downloads.

Ensure your application does not:

- Use user-supplied information in the process name to execute.
- Use user-supplied information in an OS command execution function which does
not escape shell meta-characters.
- Use user-supplied information in arguments to OS commands.

The application should have a hardcoded set of arguments that are to be passed
to OS commands. If filenames are being passed to these functions, it is
recommended that a hash of the filename be used instead, or some other unique
identifier. It is strongly recommended that a native library that implements
the same functionality be used instead of using OS system commands, due to the
risk of unknown attacks against third party commands.

If operating in Windows environments, when specifying the OS command, ensure
the application uses the full path
information, otherwise the OS may attempt to look up which process to execute
and could be vulnerable to untrusted search path vulnerabilities (CWE-426).

Example of safely executing an OS command:
```
userData := []byte("user data")
// create a temporary file in the application specific directory
f, err := ioutil.TempFile("/var/app/restricted", "temp-*.dat")
if err != nil {
  log.Fatal(err)
}

if _, err := f.Write(userData); err != nil {
  log.Fatal(err)
}

if err := f.Close(); err != nil {
  log.Fatal(err)
}

// pass the full path to the binary and the name of the temporary file
// instead of any user supplied filename
out, err := exec.Command("/bin/cat", f.Name()).Output()
if err != nil {
  log.Fatal(err)
}
```

For more information on OS command injection, see OWASP's guide:
https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html

Mitigation

Impact

None

References

Identifier type: semgrep_id
Name: gosec.G204-1
Value: gosec.G204-1

Identifier type: owasp
Name: A03:2021 - Injection
Value: A03:2021

Identifier type: owasp
Name: A1:2017 - Injection
Value: A1:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G204
Value: G204

Medium

CVSS v3

None

Description

Scanner: Semgrep
Go has a built in profiling service that is enabled by starting an HTTP server with
`net/http/pprof` imported. The `/debug/pprof` endpoint does not require any
authentication and can be accessed by anonymous users. This profiling endpoint
can leak sensitive information and should not be enabled in production.

To remediate this, remove the `net/http/pprof` import from the file.

Mitigation

Impact

None

References

Identifier type: semgrep_id
Name: gosec.G108-1
Value: gosec.G108-1

Identifier type: owasp
Name: A05:2021 - Security Misconfiguration
Value: A05:2021

Identifier type: owasp
Name: A6:2017 - Security Misconfiguration
Value: A6:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G108
Value: G108

CVSS v3

None

Description

Scanner: Semgrep
The application dynamically constructs file or path information. If the path
information comes from user input, it could be abused to read sensitive files,
access other users data or aid in exploitation to gain further system access.

User input should never be used in constructing paths or files for interacting
with the filesystem. This includes filenames supplied by user uploads or downloads.
If possible, consider hashing user input or replacing it with unique values.
Additionally, use `filepath.Base` to only use the filename and not path information.
Always validate the full path prior to opening or writing to any file.

Example using `filepath.Base`, generating a unique filename without using
user input to construct filepath information:
```
type userData struct {
    id           string
    userFilename string
}

func newUserData(userFilename string) userData {
    return userData{
        id:           randomFileID(), // random id as the filename
        userFilename: userFilename,
    }
}

// randomFileID generates a random id, to be used as a filename
func randomFileID() string {
    id := make([]byte, 16)
    if _, err := io.ReadFull(rand.Reader, id); err != nil {
        log.Fatal(err)
    }
    return hex.EncodeToString(id)
}

func main() {

    // user input, saved only as a reference
    data := newUserData("../../possibly/malicious")

    // restrict all file access to this path
    const basePath = "/tmp/"

    // resolve the full path, but only use our random generated id
    resolvedPath, err := filepath.Join(basePath, filepath.Base(data.id))
    if err != nil {
        log.Fatal(err)
    }

    // verify the path is prefixed with our basePath
    if !strings.HasPrefix(resolvedPath, basePath) {
        log.Fatal("path does not start with basePath")
    }
    // process / work with file
}
```

For more information on path traversal issues see OWASP:
https://owasp.org/www-community/attacks/Path_Traversal

Mitigation

Impact

None

References

Identifier type: semgrep_id
Name: gosec.G304-1
Value: gosec.G304-1

Identifier type: owasp
Name: A01:2021 - Broken Access Control
Value: A01:2021

Identifier type: owasp
Name: A5:2017 - Broken Access Control
Value: A5:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G304
Value: G304

CVSS v3

None

Description

Scanner: Semgrep
The application dynamically constructs file or path information. If the path
information comes from user input, it could be abused to read sensitive files,
access other users data or aid in exploitation to gain further system access.

User input should never be used in constructing paths or files for interacting
with the filesystem. This includes filenames supplied by user uploads or downloads.
If possible, consider hashing user input or replacing it with unique values.
Additionally, use `filepath.Base` to only use the filename and not path information.
Always validate the full path prior to opening or writing to any file.

Example using `filepath.Base`, generating a unique filename without using
user input to construct filepath information:
```
type userData struct {
    id           string
    userFilename string
}

func newUserData(userFilename string) userData {
    return userData{
        id:           randomFileID(), // random id as the filename
        userFilename: userFilename,
    }
}

// randomFileID generates a random id, to be used as a filename
func randomFileID() string {
    id := make([]byte, 16)
    if _, err := io.ReadFull(rand.Reader, id); err != nil {
        log.Fatal(err)
    }
    return hex.EncodeToString(id)
}

func main() {

    // user input, saved only as a reference
    data := newUserData("../../possibly/malicious")

    // restrict all file access to this path
    const basePath = "/tmp/"

    // resolve the full path, but only use our random generated id
    resolvedPath, err := filepath.Join(basePath, filepath.Base(data.id))
    if err != nil {
        log.Fatal(err)
    }

    // verify the path is prefixed with our basePath
    if !strings.HasPrefix(resolvedPath, basePath) {
        log.Fatal("path does not start with basePath")
    }
    // process / work with file
}
```

For more information on path traversal issues see OWASP:
https://owasp.org/www-community/attacks/Path_Traversal

Mitigation

Impact

None

References

Identifier type: semgrep_id
Name: gosec.G304-1
Value: gosec.G304-1

Identifier type: owasp
Name: A01:2021 - Broken Access Control
Value: A01:2021

Identifier type: owasp
Name: A5:2017 - Broken Access Control
Value: A5:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G304
Value: G304

CVSS v3

None

Description

Scanner: Semgrep
The application dynamically constructs file or path information. If the path
information comes from user input, it could be abused to read sensitive files,
access other users data or aid in exploitation to gain further system access.

User input should never be used in constructing paths or files for interacting
with the filesystem. This includes filenames supplied by user uploads or downloads.
If possible, consider hashing user input or replacing it with unique values.
Additionally, use `filepath.Base` to only use the filename and not path information.
Always validate the full path prior to opening or writing to any file.

Example using `filepath.Base`, generating a unique filename without using
user input to construct filepath information:
```
type userData struct {
    id           string
    userFilename string
}

func newUserData(userFilename string) userData {
    return userData{
        id:           randomFileID(), // random id as the filename
        userFilename: userFilename,
    }
}

// randomFileID generates a random id, to be used as a filename
func randomFileID() string {
    id := make([]byte, 16)
    if _, err := io.ReadFull(rand.Reader, id); err != nil {
        log.Fatal(err)
    }
    return hex.EncodeToString(id)
}

func main() {

    // user input, saved only as a reference
    data := newUserData("../../possibly/malicious")

    // restrict all file access to this path
    const basePath = "/tmp/"

    // resolve the full path, but only use our random generated id
    resolvedPath, err := filepath.Join(basePath, filepath.Base(data.id))
    if err != nil {
        log.Fatal(err)
    }

    // verify the path is prefixed with our basePath
    if !strings.HasPrefix(resolvedPath, basePath) {
        log.Fatal("path does not start with basePath")
    }
    // process / work with file
}
```

For more information on path traversal issues see OWASP:
https://owasp.org/www-community/attacks/Path_Traversal

Mitigation

Impact

None

References

Identifier type: semgrep_id
Name: gosec.G304-1
Value: gosec.G304-1

Identifier type: owasp
Name: A01:2021 - Broken Access Control
Value: A01:2021

Identifier type: owasp
Name: A5:2017 - Broken Access Control
Value: A5:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G304
Value: G304

CVSS v3

None

Description

Scanner: Semgrep
The application dynamically constructs file or path information. If the path
information comes from user input, it could be abused to read sensitive files,
access other users data or aid in exploitation to gain further system access.

User input should never be used in constructing paths or files for interacting
with the filesystem. This includes filenames supplied by user uploads or downloads.
If possible, consider hashing user input or replacing it with unique values.
Additionally, use `filepath.Base` to only use the filename and not path information.
Always validate the full path prior to opening or writing to any file.

Example using `filepath.Base`, generating a unique filename without using
user input to construct filepath information:
```
type userData struct {
    id           string
    userFilename string
}

func newUserData(userFilename string) userData {
    return userData{
        id:           randomFileID(), // random id as the filename
        userFilename: userFilename,
    }
}

// randomFileID generates a random id, to be used as a filename
func randomFileID() string {
    id := make([]byte, 16)
    if _, err := io.ReadFull(rand.Reader, id); err != nil {
        log.Fatal(err)
    }
    return hex.EncodeToString(id)
}

func main() {

    // user input, saved only as a reference
    data := newUserData("../../possibly/malicious")

    // restrict all file access to this path
    const basePath = "/tmp/"

    // resolve the full path, but only use our random generated id
    resolvedPath, err := filepath.Join(basePath, filepath.Base(data.id))
    if err != nil {
        log.Fatal(err)
    }

    // verify the path is prefixed with our basePath
    if !strings.HasPrefix(resolvedPath, basePath) {
        log.Fatal("path does not start with basePath")
    }
    // process / work with file
}
```

For more information on path traversal issues see OWASP:
https://owasp.org/www-community/attacks/Path_Traversal

Mitigation

Impact

None

References

Identifier type: semgrep_id
Name: gosec.G304-1
Value: gosec.G304-1

Identifier type: owasp
Name: A01:2021 - Broken Access Control
Value: A01:2021

Identifier type: owasp
Name: A5:2017 - Broken Access Control
Value: A5:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G304
Value: G304

Low

CVSS v3

None

Description

Scanner: Semgrep
Go's `net/http` serve functions may be vulnerable to resource consumption attacks if timeouts
are not properly configured
prior to starting the HTTP server. An adversary may open up thousands of connections but never
complete sending all data,
or never terminate the connections. This may lead to the server no longer accepting new
connections.

To protect against this style of resource consumption attack, timeouts should be set in the
`net/http` server prior to calling
the listen or serve functions. What this means is that the default `http.ListenAndServe` and
`http.Serve` functions should not
be used in a production setting as they are unable to have timeouts configured. Instead a
custom `http.Server` object must be
created with the timeouts configured.

Example setting timeouts on a `net/http` server:
```
// All values chosen below are dependent on application logic and
// should be tailored per use-case
srv := &http.Server{
  Addr: "localhost:8000",
  // ReadHeaderTimeout is the amount of time allowed to read
  // request headers. The connection's read deadline is reset
  // after reading the headers and the Handler can decide what
  // is considered too slow for the body. If ReadHeaderTimeout
  // is zero, the value of ReadTimeout is used. If both are
  // zero, there is no timeout.
  ReadHeaderTimeout: 15 * time.Second,

  // ReadTimeout is the maximum duration for reading the entire
  // request, including the body. A zero or negative value means
  // there will be no timeout.
  //
  // Because ReadTimeout does not let Handlers make per-request
  // decisions on each request body's acceptable deadline or
  // upload rate, most users will prefer to use
  // ReadHeaderTimeout. It is valid to use them both.
  ReadTimeout: 15 * time.Second,

  // WriteTimeout is the maximum duration before timing out
  // writes of the response. It is reset whenever a new
  // request's header is read. Like ReadTimeout, it does not
  // let Handlers make decisions on a per-request basis.
  // A zero or negative value means there will be no timeout.
  WriteTimeout: 10 * time.Second,

  // IdleTimeout is the maximum amount of time to wait for the
  // next request when keep-alives are enabled. If IdleTimeout
  // is zero, the value of ReadTimeout is used. If both are
  // zero, there is no timeout.
  IdleTimeout: 30 * time.Second,
}

// For per request timeouts applications can wrap all `http.HandlerFunc(...)` in
// `http.TimeoutHandler`` and specify a timeout, but note the TimeoutHandler does not
// start ticking until all headers have been read.

// Listen with our custom server with timeouts configured
if err := srv.ListenAndServe(); err != nil {
  log.Fatal(err)
}
```
For more information on the `http.Server` timeouts, see: https://pkg.go.dev/net/http#Server

For information on setting request based timeouts, see:
https://pkg.go.dev/net/http#TimeoutHandler

For more information on the Slowloris attack see:
https://en.wikipedia.org/wiki/Slowloris_(computer_security)

Mitigation

Impact

None

References

Identifier type: semgrep_id
Name: gosec.G114-1
Value: gosec.G114-1

Identifier type: owasp
Name: A05:2021 - Security Misconfiguration
Value: A05:2021

Identifier type: owasp
Name: A6:2017 - Security Misconfiguration
Value: A6:2017

Identifier type: gosec_rule_id
Name: Gosec Rule ID G112
Value: G112

Identifier type: gosec_rule_id
Name: Gosec Rule ID G114
Value: G114