Merge pull request github#15057 from aydinnyunus/main

Web Cache Deception Vulnerability on Go Frameworks

Author: owen-mc

go/ql/src/experimental/CWE-525/WebCacheDeception.expected

@@ -0,0 +1,5 @@
+| WebCacheDeceptionBad.go:82:18:82:31 | "/adminusers/" | "/adminusers/" is used as wildcard endpoint. |
+| WebCacheDeceptionFiber.go:15:10:15:17 | "/api/*" | "/api/*" is used as wildcard endpoint. |
+| WebCacheDeceptionFiber.go:20:11:20:18 | "/api/*" | "/api/*" is used as wildcard endpoint. |
+| WebCacheDeceptionGoChi.go:13:8:13:11 | "/*" | "/*" is used as wildcard endpoint. |
+| WebCacheDeceptionHTTPRouter.go:21:13:21:25 | "/test/*test" | "/test/*test" is used as wildcard endpoint. |

go/ql/src/experimental/CWE-525/WebCacheDeception.qhelp

@@ -17,13 +17,31 @@
         <p>
             Vulnerable code example: A web server is configured to cache all responses ending in '.css'. An attacker requests 'profile.css', and the server processes 'profile', a sensitive page, and caches it.
         </p>
-        <sample src="WebCacheDeceptionBad.go" />
+        <sample src="examples/WebCacheDeceptionBad.go" />
     </example>
     <example>
         <p>
             Secure code example: The server is configured with strict cache controls and URL validation, preventing caching of dynamic or sensitive pages regardless of their URL pattern.
         </p>
-        <sample src="WebCacheDeceptionGood.go" />
+        <sample src="examples/WebCacheDeceptionGood.go" />
+    </example>
+    <example>
+        <p>
+            Vulnerable code example: The server is configured with strict cache controls and URL validation, preventing caching of dynamic or sensitive pages regardless of their URL pattern.
+        </p>
+        <sample src="examples/WebCacheDeceptionFiber.go" />
+    </example>
+    <example>
+        <p>
+            Vulnerable code example: The server is configured with strict cache controls and URL validation, preventing caching of dynamic or sensitive pages regardless of their URL pattern.
+        </p>
+        <sample src="examples/WebCacheDeceptionGoChi.go" />
+    </example>
+     <example>
+        <p>
+            Vulnerable code example: The server is configured with strict cache controls and URL validation, preventing caching of dynamic or sensitive pages regardless of their URL pattern.
+        </p>
+        <sample src="examples/WebCacheDeceptionHTTPRouter.go" />
     </example>
     <references>
         <li>

go/ql/src/experimental/CWE-525/WebCacheDeception.ql

@@ -11,17 +11,7 @@
  */
 
 import go
+import WebCacheDeceptionLib
 
-from
-  DataFlow::CallNode httpHandleFuncCall, DataFlow::ReadNode rn, Http::HeaderWrite::Range hw,
-  DeclaredFunction f
-where
-  httpHandleFuncCall.getTarget().hasQualifiedName("net/http", "HandleFunc") and
-  httpHandleFuncCall.getArgument(0).getStringValue().matches("%/") and
-  httpHandleFuncCall.getArgument(1) = rn and
-  rn.reads(f) and
-  f.getParameter(0) = hw.getResponseWriter() and
-  hw.getHeaderName() = "cache-control"
-select httpHandleFuncCall.getArgument(0),
-  "Wildcard Endpoint used with " + httpHandleFuncCall.getArgument(0) + " and '" + hw.getHeaderName()
-    + "' Header is used"
+from WebCacheDeception::Sink httpHandleFuncCall
+select httpHandleFuncCall, httpHandleFuncCall + " is used as wildcard endpoint."

go/ql/src/experimental/CWE-525/WebCacheDeceptionLib.qll

@@ -0,0 +1,61 @@
+import go
+import StringOps
+
+module WebCacheDeception {
+  abstract class Sink extends DataFlow::Node { }
+
+  private class GoNetHttp extends Sink {
+    GoNetHttp() {
+      exists(
+        DataFlow::CallNode m, DataFlow::ReadNode rn, Http::HeaderWrite::Range hw, DeclaredFunction f
+      |
+        m.getTarget().hasQualifiedName("net/http", "HandleFunc") and
+        m.getArgument(0).getStringValue().matches("%/") and
+        m.getArgument(1) = rn and
+        rn.reads(f) and
+        f.getParameter(0) = hw.getResponseWriter() and
+        hw.getHeaderName() = "cache-control" and
+        this = m.getArgument(0)
+      )
+    }
+  }
+
+  private class GoFiber extends Sink {
+    GoFiber() {
+      exists(ImportSpec i |
+        i.getPath() = "github.com/gofiber/fiber" or
+        i.getPath() = "github.com/gofiber/fiber/v2"
+      |
+        exists(DataFlow::CallNode m |
+          m.getCall().getArgument(0).toString().matches("%/*%") and
+          this = m.getArgument(0)
+        )
+      )
+    }
+  }
+
+  private class GoChi extends Sink {
+    GoChi() {
+      exists(ImportSpec i |
+        i.getPath() = "github.com/go-chi/chi/v5" or
+        i.getPath() = "github.com/go-chi/chi/v5/middleware"
+      |
+        exists(DataFlow::CallNode m |
+          m.getCall().getArgument(0).toString().matches("%/*%") and
+          this = m.getArgument(0)
+        )
+      )
+    }
+  }
+
+  private class GoHttpRouter extends Sink {
+    GoHttpRouter() {
+      exists(string pkg | pkg = "github.com/julienschmidt/httprouter" |
+        exists(DataFlow::CallNode m |
+          m.getCall().getArgument(0).toString().matches("%/*%") and
+          this = m.getArgument(0)
+        )
+      )
+    }
+  }
+}

go/ql/src/experimental/CWE-525/WebCacheDeceptionBad.go renamed to go/ql/src/experimental/CWE-525/examples/WebCacheDeceptionBad.go

@@ -0,0 +1,38 @@
+package fiber
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/gofiber/fiber/v2"
+)
+
+func main() {
+	app := fiber.New()
+	log.Println("We are logging in Golang!")
+
+	// GET /api/register
+	app.Get("/api/*", func(c *fiber.Ctx) error {
+		msg := fmt.Sprintf("✋")
+		return c.SendString(msg) // => ✋ register
+	})
+
+	app.Post("/api/*", func(c *fiber.Ctx) error {
+		msg := fmt.Sprintf("✋")
+		return c.SendString(msg) // => ✋ register
+	})
+
+	// GET /flights/LAX-SFO
+	app.Get("/flights/:from-:to", func(c *fiber.Ctx) error {
+		msg := fmt.Sprintf("💸 From: %s, To: %s", c.Params("from"), c.Params("to"))
+		return c.SendString(msg) // => 💸 From: LAX, To: SFO
+	})
+
+	// GET /dictionary.txt
+	app.Get("/:file.:ext", func(c *fiber.Ctx) error {
+		msg := fmt.Sprintf("📃 %s.%s", c.Params("file"), c.Params("ext"))
+		return c.SendString(msg) // => 📃 dictionary.txt
+	})
+
+	log.Fatal(app.Listen(":3000"))
+}

go/ql/src/experimental/CWE-525/examples/WebCacheDeceptionFiber.go

@@ -0,0 +1,17 @@
+package main
+
+import (
+	"net/http"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi/v5/middleware"
+)
+
+func main() {
+	r := chi.NewRouter()
+	r.Use(middleware.Logger)
+	r.Get("/*", func(w http.ResponseWriter, r *http.Request) {
+		w.Write([]byte("welcome"))
+	})
+	http.ListenAndServe(":3000", r)
+}

go/ql/src/experimental/CWE-525/examples/WebCacheDeceptionGoChi.go

@@ -0,0 +1,25 @@
+package httprouter
+
+import (
+	"fmt"
+	"log"
+	"net/http"
+
+	"github.com/julienschmidt/httprouter"
+)
+
+func Index(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
+	fmt.Fprint(w, "Welcome!\n")
+}
+
+func Hello(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
+	fmt.Fprintf(w, "hello, %s!\n", ps.ByName("name"))
+}
+
+func main() {
+	router := httprouter.New()
+	router.GET("/test/*test", Index)
+	router.GET("/hello/:name", Hello)
+
+	log.Fatal(http.ListenAndServe(":8082", router))
+}

go/ql/src/experimental/CWE-525/WebCacheDeceptionGood.go renamed to go/ql/src/experimental/CWE-525/examples/WebCacheDeceptionGood.go

@@ -1 +1,5 @@
-| WebCacheDeceptionBad.go:82:18:82:31 | "/adminusers/" | Wildcard Endpoint used with "/adminusers/" and 'cache-control' Header is used |
+| WebCacheDeceptionBad.go:82:18:82:31 | "/adminusers/" | "/adminusers/" is used as wildcard endpoint. |
+| WebCacheDeceptionFiber.go:15:10:15:17 | "/api/*" | "/api/*" is used as wildcard endpoint. |
+| WebCacheDeceptionFiber.go:20:11:20:18 | "/api/*" | "/api/*" is used as wildcard endpoint. |
+| WebCacheDeceptionGoChi.go:13:8:13:11 | "/*" | "/*" is used as wildcard endpoint. |
+| WebCacheDeceptionHTTPRouter.go:21:13:21:25 | "/test/*test" | "/test/*test" is used as wildcard endpoint. |