# Stdlib (Go) Security

Security vulnerabilities and detection rules for stdlib framework. 11 rules across 11 CWE categories.

- Total rules: 11
- CWE categories: 11
- Critical rules: 2

## CWEs

- **CWE-22**: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- **CWE-89**: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- **CWE-117**: Improper Output Neutralization for Logs
- **CWE-176**: Improper Handling of Unicode Encoding
- **CWE-190**: Integer Overflow or Wraparound
- **CWE-200**: Exposure of Sensitive Information to an Unauthorized Actor
- **CWE-201**: Insertion of Sensitive Information Into Sent Data
- **CWE-209**: Generation of Error Message Containing Sensitive Information
- **CWE-327**: Use of a Broken or Risky Cryptographic Algorithm
- **CWE-918**: Server-Side Request Forgery (SSRF)
- **CWE-943**: Improper Neutralization of Special Elements in Data Query Logic

## Rules

- **Environment Variable Secret Exposure** [HIGH]: Environment variables containing secrets flow to logs or HTTP responses.
- **Database Error Information Exposure in HTTP Response** [MEDIUM]: Internal error messages or stack traces exposed to users in HTTP responses.
- **Integer Overflow via Unchecked Arithmetic** [MEDIUM]: User-controlled integer used in arithmetic or allocation without bounds checking.
- **Log Injection / Log Forging** [MEDIUM]: Detects unsanitized user input flowing into log statements, enabling log forging attacks.
- **NoSQL Injection** [HIGH]: Detects user input flowing to MongoDB or Redis queries without proper validation.
- **Path Traversal via File Operations** [HIGH]: User input flows to file operations like os.Open without path validation.
- **SQL Injection via Database Queries** [CRITICAL]: Detects user input flowing to SQL queries without parameterization.
- **Server-Side Request Forgery (SSRF)** [HIGH]: Detects user input flowing to HTTP client requests, enabling Server-Side Request Forgery attacks.
- **Unicode Normalization Security Issues** [MEDIUM]: Security-sensitive string comparison without Unicode normalization.
- **Use of Weak Cryptographic Algorithm** [HIGH]: Uses MD5, SHA1, DES, or RC4 which are cryptographically broken.
- **Credential Exfiltration via User-Controlled Endpoint** [CRITICAL]: Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests
to user-controlled endpoints. This allows attackers to exfiltrate server credentials
by providing a malicious webhook URL that captures the sensitive headers or body data.

Example vulnerable pattern:
```go
// User controls 'endpoint' from request
endpoint := r.FormValue("webhook_url")

// Server sends its internal API key to attacker-controlled URL
req, _ := http.NewRequest("POST", endpoint, nil)
req.Header.Set("X-API-Key", os.Getenv("INTERNAL_API_KEY"))
client.Do(req)
```

This is different from standard SSRF (which accesses internal resources) - here the attacker
exfiltrates server credentials to their own controlled endpoint.