# Gin (Go) Security

Security vulnerabilities and detection rules for gin framework. 24 rules across 21 CWE categories.

- Total rules: 24
- CWE categories: 21
- Critical rules: 3

## CWEs

- **CWE-200**: Exposure of Sensitive Information to an Unauthorized Actor
- **CWE-693**: Protection Mechanism Failure
- **CWE-942**: Permissive Cross-domain Policy with Untrusted Domains
- **CWE-20**: Improper Input Validation
- **CWE-22**: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- **CWE-89**: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- **CWE-93**: Improper Neutralization of CRLF Sequences ('CRLF Injection')
- **CWE-117**: Improper Output Neutralization for Logs
- **CWE-176**: Improper Handling of Unicode Encoding
- **CWE-190**: Integer Overflow or Wraparound
- **CWE-201**: Insertion of Sensitive Information Into Sent Data
- **CWE-209**: Generation of Error Message Containing Sensitive Information
- **CWE-306**: Missing Authentication for Critical Function
- **CWE-307**: Improper Restriction of Excessive Authentication Attempts
- **CWE-319**: Cleartext Transmission of Sensitive Information
- **CWE-352**: Cross-Site Request Forgery (CSRF)
- **CWE-489**: Active Debug Code
- **CWE-639**: Authorization Bypass Through User-Controlled Key
- **CWE-840**: Business Logic Errors
- **CWE-918**: Server-Side Request Forgery (SSRF)
- **CWE-943**: Improper Neutralization of Special Elements in Data Query Logic

## Rules

- **Business Logic Bypass** [HIGH]: Client-controlled financial values flow to payment operations without server-side calculation.
- **Email Header Injection** [HIGH]: User input flows into email headers without CRLF validation.
- **Environment Variable Secret Exposure** [HIGH]: Environment variables containing secrets flow to logs or HTTP responses.
- **Database Error Information Exposure in HTTP Response** [MEDIUM]: Internal error messages or stack traces exposed to users in HTTP responses.
- **Gin Debug Mode in Production** [MEDIUM]: Gin debug mode exposes routing info and verbose errors in production.
- **Missing CSRF Protection (Gin)** [HIGH]: State-changing endpoints lack CSRF token protection.
- **Gin Missing Security Headers** [MEDIUM]: Gin application missing security HTTP headers middleware.
- **Gin Missing JWT Middleware** [HIGH]: API endpoints lack JWT authentication middleware protection.
- **Gin Running Without TLS** [LOW]: Gin server running over HTTP instead of HTTPS.
- **Gin Missing Input Validation** [MEDIUM]: Gin endpoints accepting user input without struct binding validation.
- **Gin Permissive CORS** [MEDIUM]: Wildcard CORS allows any origin to access resources.
- **Missing Rate Limiting in Gin Application** [MEDIUM]: Authentication endpoints lack rate limiting protection.
- **Potential IDOR - Generic Data Access** [MEDIUM]: Detects route parameters flowing to data access without visible ownership verification.
- **Integer Overflow via Unchecked Arithmetic** [MEDIUM]: User-controlled integer used in arithmetic or allocation without bounds checking.
- **Log Injection / Log Forging** [MEDIUM]: Detects unsanitized user input flowing into log statements, enabling log forging attacks.
- **Missing HTTP Security Headers** [MEDIUM]: HTTP responses lack security headers like X-Frame-Options or Content-Security-Policy.
- **NoSQL Injection** [HIGH]: Detects user input flowing to MongoDB or Redis queries without proper validation.
- **Path Traversal via File Operations** [HIGH]: User input flows to file operations like os.Open without path validation.
- **Permissive CORS Configuration** [MEDIUM]: CORS allows wildcard origin or reflects Origin header without validation.
- **Sensitive Field Exposure in API Response** [CRITICAL]: Sensitive fields like password, token, or apiKey included in HTTP responses.
- **SQL Injection via Database Queries** [CRITICAL]: Detects user input flowing to SQL queries without parameterization.
- **Server-Side Request Forgery (SSRF)** [HIGH]: Detects user input flowing to HTTP client requests, enabling Server-Side Request Forgery attacks.
- **Unicode Normalization Security Issues** [MEDIUM]: Security-sensitive string comparison without Unicode normalization.
- **Credential Exfiltration via User-Controlled Endpoint** [CRITICAL]: Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests
to user-controlled endpoints. This allows attackers to exfiltrate server credentials
by providing a malicious webhook URL that captures the sensitive headers or body data.

Example vulnerable pattern:
```go
// User controls 'endpoint' from request
endpoint := r.FormValue("webhook_url")

// Server sends its internal API key to attacker-controlled URL
req, _ := http.NewRequest("POST", endpoint, nil)
req.Header.Set("X-API-Key", os.Getenv("INTERNAL_API_KEY"))
client.Do(req)
```

This is different from standard SSRF (which accesses internal resources) - here the attacker
exfiltrates server credentials to their own controlled endpoint.