Add Web Cache Deception QHelp and Example Code Snippet for Vulnerable Go Fiber usage

Author: Yunus AYDIN

go/ql/src/experimental/CWE-525/WebCacheDeception.expected

@@ -25,6 +25,12 @@
         </p>
         <sample src="WebCacheDeceptionGood.go" />
     </example>
+    <example>
+        <p>
+            Vulnerable code example: The server is configured with strict cache controls and URL validation, preventing caching of dynamic or sensitive pages regardless of their URL pattern.
+        </p>
+        <sample src="WebCacheDeceptionFiber.go" />
+    </example>
     <references>
         <li>
             OWASP Web Cache Deception Attack:

go/ql/src/experimental/CWE-525/WebCacheDeception.qhelp

@@ -0,0 +1 @@
+WARNING: Unused variable f (WebCacheDeceptionFiber.ql:15,77-78)

go/ql/src/experimental/CWE-525/WebCacheDeceptionFiber.expected

@@ -0,0 +1,21 @@
+/*
+ * @name Web Cache Deception
+ * @description A caching system has been detected on the application and is vulnerable to web cache deception on Gofiber. By manipulating the URL it is possible to force the application to cache pages that are only accessible by an authenticated user. Once cached, these pages can be accessed by an unauthenticated user.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 9
+ * @precision high
+ * @id go/web-cache-deception
+ * @tags security
+ *       external/cwe/cwe-525
+ */
+
+import go
+
+from DataFlow::CallNode httpHandleFuncCall, ImportSpec importSpec, Function f
+where 
+  importSpec.getPath() = "github.com/gofiber/fiber/v2" and
+  httpHandleFuncCall.getCall().getArgument(0).toString().matches("%/*%") and
+  not httpHandleFuncCall.getCall().getArgument(0).toString().matches("%$%")
+select httpHandleFuncCall.getCall().getArgument(0),
+"Wildcard Endpoint used with " + httpHandleFuncCall.getCall().getArgument(0)

go/ql/src/experimental/CWE-525/WebCacheDeceptionFiber.ql

@@ -0,0 +1,87 @@
+package bad
+
+import (
+	"fmt"
+	"html/template"
+	"log"
+	"net/http"
+	"os/exec"
+	"strings"
+	"sync"
+)
+
+var sessionMap = make(map[string]string)
+
+var (
+	templateCache = make(map[string]*template.Template)
+	mutex         = &sync.Mutex{}
+)
+
+type Lists struct {
+	Uid       string
+	UserName  string
+	UserLists []string
+	ReadFile  func(filename string) string
+}
+
+func parseTemplateFile(templateName string, tmplFile string) (*template.Template, error) {
+	mutex.Lock()
+	defer mutex.Unlock()
+
+	// Check if the template is already cached
+	if cachedTemplate, ok := templateCache[templateName]; ok {
+		fmt.Println("cached")
+		return cachedTemplate, nil
+	}
+
+	// Parse and store the template in the cache
+	parsedTemplate, _ := template.ParseFiles(tmplFile)
+	fmt.Println("not cached")
+
+	templateCache[templateName] = parsedTemplate
+	return parsedTemplate, nil
+}
+
+func ShowAdminPageCache(w http.ResponseWriter, r *http.Request) {
+
+	if r.Method == "GET" {
+		fmt.Println("cache called")
+		sessionMap[r.RequestURI] = "admin"
+
+		// Check if a session value exists
+		if _, ok := sessionMap[r.RequestURI]; ok {
+			cmd := "mysql -h mysql -u root -prootwolf -e 'select id,name,mail,age,created_at,updated_at from vulnapp.user where name not in (\"" + "admin" + "\");'"
+
+			// mysql -h mysql -u root -prootwolf -e 'select id,name,mail,age,created_at,updated_at from vulnapp.user where name not in ("test");--';echo");'
+			fmt.Println(cmd)
+
+			res, err := exec.Command("sh", "-c", cmd).Output()
+			if err != nil {
+				fmt.Println("err : ", err)
+			}
+
+			splitedRes := strings.Split(string(res), "\n")
+
+			p := Lists{Uid: "1", UserName: "admin", UserLists: splitedRes}
+
+			parsedTemplate, _ := parseTemplateFile("page", "./views/admin/userlists.gtpl")
+			w.Header().Set("Cache-Control", "no-store, no-cache")
+			err = parsedTemplate.Execute(w, p)
+		}
+	} else {
+		http.NotFound(w, nil)
+	}
+
+}
+
+func main() {
+	fmt.Println("Vulnapp server listening : 1337")
+
+	http.Handle("/assets/", http.StripPrefix("/assets/", http.FileServer(http.Dir("assets/"))))
+
+	http.HandleFunc("/adminusers/", ShowAdminPageCache)
+	err := http.ListenAndServe(":1337", nil)
+	if err != nil {
+		log.Fatal("ListenAndServe: ", err)
+	}
+}

go/ql/src/experimental/CWE-525/examples/WebCacheDeceptionBad.go

@@ -0,0 +1,38 @@
+package fiber
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/gofiber/fiber/v2"
+)
+
+func main() {
+	app := fiber.New()
+	log.Println("We are logging in Golang!")
+
+	// GET /api/register
+	app.Get("/api/*", func(c *fiber.Ctx) error {
+		msg := fmt.Sprintf("✋")
+		return c.SendString(msg) // => ✋ register
+	})
+
+	app.Post("/api/*", func(c *fiber.Ctx) error {
+		msg := fmt.Sprintf("✋")
+		return c.SendString(msg) // => ✋ register
+	})
+
+	// GET /flights/LAX-SFO
+	app.Get("/flights/:from-:to", func(c *fiber.Ctx) error {
+		msg := fmt.Sprintf("💸 From: %s, To: %s", c.Params("from"), c.Params("to"))
+		return c.SendString(msg) // => 💸 From: LAX, To: SFO
+	})
+
+	// GET /dictionary.txt
+	app.Get("/:file.:ext", func(c *fiber.Ctx) error {
+		msg := fmt.Sprintf("📃 %s.%s", c.Params("file"), c.Params("ext"))
+		return c.SendString(msg) // => 📃 dictionary.txt
+	})
+
+	log.Fatal(app.Listen(":3000"))
+}

go/ql/src/experimental/CWE-525/examples/WebCacheDeceptionFiber.go

@@ -0,0 +1,87 @@
+package good
+
+import (
+	"fmt"
+	"html/template"
+	"log"
+	"net/http"
+	"os/exec"
+	"strings"
+	"sync"
+)
+
+var sessionMap = make(map[string]string)
+
+var (
+	templateCache = make(map[string]*template.Template)
+	mutex         = &sync.Mutex{}
+)
+
+type Lists struct {
+	Uid       string
+	UserName  string
+	UserLists []string
+	ReadFile  func(filename string) string
+}
+
+func parseTemplateFile(templateName string, tmplFile string) (*template.Template, error) {
+	mutex.Lock()
+	defer mutex.Unlock()
+
+	// Check if the template is already cached
+	if cachedTemplate, ok := templateCache[templateName]; ok {
+		fmt.Println("cached")
+		return cachedTemplate, nil
+	}
+
+	// Parse and store the template in the cache
+	parsedTemplate, _ := template.ParseFiles(tmplFile)
+	fmt.Println("not cached")
+
+	templateCache[templateName] = parsedTemplate
+	return parsedTemplate, nil
+}
+
+func ShowAdminPageCache(w http.ResponseWriter, r *http.Request) {
+
+	if r.Method == "GET" {
+		fmt.Println("cache called")
+		sessionMap[r.RequestURI] = "admin"
+
+		// Check if a session value exists
+		if _, ok := sessionMap[r.RequestURI]; ok {
+			cmd := "mysql -h mysql -u root -prootwolf -e 'select id,name,mail,age,created_at,updated_at from vulnapp.user where name not in (\"" + "admin" + "\");'"
+
+			// mysql -h mysql -u root -prootwolf -e 'select id,name,mail,age,created_at,updated_at from vulnapp.user where name not in ("test");--';echo");'
+			fmt.Println(cmd)
+
+			res, err := exec.Command("sh", "-c", cmd).Output()
+			if err != nil {
+				fmt.Println("err : ", err)
+			}
+
+			splitedRes := strings.Split(string(res), "\n")
+
+			p := Lists{Uid: "1", UserName: "admin", UserLists: splitedRes}
+
+			parsedTemplate, _ := parseTemplateFile("page", "./views/admin/userlists.gtpl")
+			w.Header().Set("Cache-Control", "no-store, no-cache")
+			err = parsedTemplate.Execute(w, p)
+		}
+	} else {
+		http.NotFound(w, nil)
+	}
+
+}
+
+func main() {
+	fmt.Println("Vulnapp server listening : 1337")
+
+	http.Handle("/assets/", http.StripPrefix("/assets/", http.FileServer(http.Dir("assets/"))))
+
+	http.HandleFunc("/adminusers", ShowAdminPageCache)
+	err := http.ListenAndServe(":1337", nil)
+	if err != nil {
+		log.Fatal("ListenAndServe: ", err)
+	}
+}