# gorilla (Go) Security Rules

13 detection rules for gorilla framework in Go

- Total rules: 13
- CWE coverage: 12

## CRITICAL (3)

- **Sensitive Field Exposure in API Response**: Sensitive fields like password, token, or apiKey included in HTTP responses.
- **SQL Injection via Database Queries**: Detects user input flowing to SQL queries without parameterization.
- **Credential Exfiltration via User-Controlled Endpoint**: Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests
to user-controlled endpoints. This allows attackers to exfiltrate server credentials
by providing a malicious webhook URL that captures the sensitive headers or body data.

Example vulnerable pattern:
```go
// User controls 'endpoint' from request
endpoint := r.FormValue("webhook_url")

// Server sends its internal API key to attacker-controlled URL
req, _ := http.NewRequest("POST", endpoint, nil)
req.Header.Set("X-API-Key", os.Getenv("INTERNAL_API_KEY"))
client.Do(req)
```

This is different from standard SSRF (which accesses internal resources) - here the attacker
exfiltrates server credentials to their own controlled endpoint.

## HIGH (3)

- **Business Logic Bypass**: Client-controlled financial values flow to payment operations without server-side calculation.
- **Path Traversal via File Operations**: User input flows to file operations like os.Open without path validation.
- **Server-Side Request Forgery (SSRF)**: Detects user input flowing to HTTP client requests, enabling Server-Side Request Forgery attacks.

## MEDIUM (7)

- **Database Error Information Exposure in HTTP Response**: Internal error messages or stack traces exposed to users in HTTP responses.
- **Gorilla Missing Security Headers**: Gorilla Mux application missing security HTTP headers middleware.
- **Missing Rate Limiting in Gorilla Mux Application**: Authentication endpoints lack rate limiting protection.
- **Potential IDOR - Generic Data Access**: Detects route parameters flowing to data access without visible ownership verification.
- **Log Injection / Log Forging**: Detects unsanitized user input flowing into log statements, enabling log forging attacks.
- **Missing HTTP Security Headers**: HTTP responses lack security headers like X-Frame-Options or Content-Security-Policy.
- **Permissive CORS Configuration**: CORS allows wildcard origin or reflects Origin header without validation.