# fiber (Go) Security Rules

23 detection rules for fiber framework in Go

- Total rules: 23
- CWE coverage: 20

## CRITICAL (3)

- **Sensitive Field Exposure in API Response**: Sensitive fields like password, token, or apiKey included in HTTP responses.
- **SQL Injection via Database Queries**: Detects user input flowing to SQL queries without parameterization.
- **Credential Exfiltration via User-Controlled Endpoint**: Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests
to user-controlled endpoints. This allows attackers to exfiltrate server credentials
by providing a malicious webhook URL that captures the sensitive headers or body data.

Example vulnerable pattern:
```go
// User controls 'endpoint' from request
endpoint := r.FormValue("webhook_url")

// Server sends its internal API key to attacker-controlled URL
req, _ := http.NewRequest("POST", endpoint, nil)
req.Header.Set("X-API-Key", os.Getenv("INTERNAL_API_KEY"))
client.Do(req)
```

This is different from standard SSRF (which accesses internal resources) - here the attacker
exfiltrates server credentials to their own controlled endpoint.

## HIGH (8)

- **Business Logic Bypass**: Client-controlled financial values flow to payment operations without server-side calculation.
- **Email Header Injection**: User input flows into email headers without CRLF validation.
- **Environment Variable Secret Exposure**: Environment variables containing secrets flow to logs or HTTP responses.
- **Fiber Missing JWT Middleware**: API endpoints lack JWT authentication middleware protection.
- **Fiber Running Without TLS**: Fiber server running over HTTP instead of HTTPS.
- **NoSQL Injection**: Detects user input flowing to MongoDB or Redis queries without proper validation.
- **Path Traversal via File Operations**: User input flows to file operations like os.Open without path validation.
- **Server-Side Request Forgery (SSRF)**: Detects user input flowing to HTTP client requests, enabling Server-Side Request Forgery attacks.

## MEDIUM (12)

- **Database Error Information Exposure in HTTP Response**: Internal error messages or stack traces exposed to users in HTTP responses.
- **Fiber Debug Mode in Production**: Fiber debug configuration exposes route structure and stack traces.
- **Fiber Missing Security Headers**: Fiber application missing security HTTP headers middleware.
- **Fiber Missing Input Validation**: Fiber endpoints accepting user input without struct validation.
- **Fiber Permissive CORS**: Wildcard CORS allows any origin to access resources.
- **Missing Rate Limiting in Fiber Application**: Authentication endpoints lack rate limiting protection.
- **Potential IDOR - Generic Data Access**: Detects route parameters flowing to data access without visible ownership verification.
- **Integer Overflow via Unchecked Arithmetic**: User-controlled integer used in arithmetic or allocation without bounds checking.
- **Log Injection / Log Forging**: Detects unsanitized user input flowing into log statements, enabling log forging attacks.
- **Missing HTTP Security Headers**: HTTP responses lack security headers like X-Frame-Options or Content-Security-Policy.
- **Permissive CORS Configuration**: CORS allows wildcard origin or reflects Origin header without validation.
- **Unicode Normalization Security Issues**: Security-sensitive string comparison without Unicode normalization.