# Gorilla (Go) Security

Security vulnerabilities and detection rules for gorilla framework. 13 rules across 12 CWE categories.

- Total rules: 13
- CWE categories: 12
- Critical rules: 3

## CWEs

- **CWE-693**: Protection Mechanism Failure
- **CWE-22**: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- **CWE-89**: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- **CWE-117**: Improper Output Neutralization for Logs
- **CWE-200**: Exposure of Sensitive Information to an Unauthorized Actor
- **CWE-201**: Insertion of Sensitive Information Into Sent Data
- **CWE-209**: Generation of Error Message Containing Sensitive Information
- **CWE-307**: Improper Restriction of Excessive Authentication Attempts
- **CWE-639**: Authorization Bypass Through User-Controlled Key
- **CWE-840**: Business Logic Errors
- **CWE-918**: Server-Side Request Forgery (SSRF)
- **CWE-942**: Permissive Cross-domain Policy with Untrusted Domains

## Rules

- **Business Logic Bypass** [HIGH]: Client-controlled financial values flow to payment operations without server-side calculation.
- **Database Error Information Exposure in HTTP Response** [MEDIUM]: Internal error messages or stack traces exposed to users in HTTP responses.
- **Gorilla Missing Security Headers** [MEDIUM]: Gorilla Mux application missing security HTTP headers middleware.
- **Missing Rate Limiting in Gorilla Mux Application** [MEDIUM]: Authentication endpoints lack rate limiting protection.
- **Potential IDOR - Generic Data Access** [MEDIUM]: Detects route parameters flowing to data access without visible ownership verification.
- **Log Injection / Log Forging** [MEDIUM]: Detects unsanitized user input flowing into log statements, enabling log forging attacks.
- **Missing HTTP Security Headers** [MEDIUM]: HTTP responses lack security headers like X-Frame-Options or Content-Security-Policy.
- **Path Traversal via File Operations** [HIGH]: User input flows to file operations like os.Open without path validation.
- **Permissive CORS Configuration** [MEDIUM]: CORS allows wildcard origin or reflects Origin header without validation.
- **Sensitive Field Exposure in API Response** [CRITICAL]: Sensitive fields like password, token, or apiKey included in HTTP responses.
- **SQL Injection via Database Queries** [CRITICAL]: Detects user input flowing to SQL queries without parameterization.
- **Server-Side Request Forgery (SSRF)** [HIGH]: Detects user input flowing to HTTP client requests, enabling Server-Side Request Forgery attacks.
- **Credential Exfiltration via User-Controlled Endpoint** [CRITICAL]: Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests
to user-controlled endpoints. This allows attackers to exfiltrate server credentials
by providing a malicious webhook URL that captures the sensitive headers or body data.

Example vulnerable pattern:
```go
// User controls 'endpoint' from request
endpoint := r.FormValue("webhook_url")

// Server sends its internal API key to attacker-controlled URL
req, _ := http.NewRequest("POST", endpoint, nil)
req.Header.Set("X-API-Key", os.Getenv("INTERNAL_API_KEY"))
client.Do(req)
```

This is different from standard SSRF (which accesses internal resources) - here the attacker
exfiltrates server credentials to their own controlled endpoint.