# Go Security Rules

90 detection rules for Go

- Total rules: 90
- CRITICAL: 7
- HIGH: 40
- MEDIUM: 41
- LOW: 2

## Frameworks

- chi
- echo
- fiber
- gin
- go
- gorilla
- net/http
- stdlib

## Rules by CWE

### Protection Mechanism Failure (CWE-693)

- **Chi Missing Security Headers** [MEDIUM]: Chi application missing security HTTP headers middleware.
- **Echo Missing Security Headers** [MEDIUM]: Echo application missing security HTTP headers middleware.
- **Fiber Missing Security Headers** [MEDIUM]: Fiber application missing security HTTP headers middleware.
- **Gin Missing Security Headers** [MEDIUM]: Gin application missing security HTTP headers middleware.
- **Gorilla Missing Security Headers** [MEDIUM]: Gorilla Mux application missing security HTTP headers middleware.
- **Missing HTTP Security Headers** [MEDIUM]: HTTP responses lack security headers like X-Frame-Options or Content-Security-Policy.

### CWE-307 (CWE-307)

- **Missing Rate Limiting in Chi Router Application** [MEDIUM]: Authentication endpoints lack rate limiting protection.
- **Missing Rate Limiting in Echo Application** [MEDIUM]: Authentication endpoints lack rate limiting protection.
- **Missing Rate Limiting in Fiber Application** [MEDIUM]: Authentication endpoints lack rate limiting protection.
- **Missing Rate Limiting in Gin Application** [MEDIUM]: Authentication endpoints lack rate limiting protection.
- **Missing Rate Limiting in Gorilla Mux Application** [MEDIUM]: Authentication endpoints lack rate limiting protection.

### CWE-942 (CWE-942)

- **Chi Permissive CORS** [MEDIUM]: Wildcard CORS allows any origin to access resources.
- **Echo Permissive CORS** [MEDIUM]: Wildcard CORS allows any origin to access resources.
- **Fiber Permissive CORS** [MEDIUM]: Wildcard CORS allows any origin to access resources.
- **Gin Permissive CORS** [MEDIUM]: Wildcard CORS allows any origin to access resources.
- **Permissive CORS Configuration** [MEDIUM]: CORS allows wildcard origin or reflects Origin header without validation.

### Improper Input Validation (CWE-20)

- **Business Logic Input Validation** [MEDIUM]: Business-critical values (discount, quantity, refund) used without validation.
- **Echo Missing Input Validation** [MEDIUM]: Echo endpoints accepting user input without struct validation.
- **Fiber Missing Input Validation** [MEDIUM]: Fiber endpoints accepting user input without struct validation.
- **Gin Missing Input Validation** [MEDIUM]: Gin endpoints accepting user input without struct binding validation.

### Information Exposure (CWE-200)

- **Environment Variable Secret Exposure** [HIGH]: Environment variables containing secrets flow to logs or HTTP responses.
- **LLM Model Theft** [HIGH]: Detects vulnerabilities leading to model theft or API key exposure such as hardcoded keys or insecure model endpoints.
- **LLM Sensitive Information Disclosure** [HIGH]: Detects sensitive information disclosure in AI/LLM implementations such as credentials or PII in prompts.
- **Sensitive Field Exposure in API Response** [CRITICAL]: Sensitive fields like password, token, or apiKey included in HTTP responses.

### Race Condition (CWE-362)

- **Concurrent Slice Access** [HIGH]: Concurrent access to slices (especially append) without synchronization can
cause data races, lost data, or panics. Slices in Go are not thread-safe.
- **Direct Map Access on Thread-Safe Struct** [HIGH]: Direct access to map fields on structs that provide thread-safe accessor methods
can cause race conditions. Use the provided accessor methods instead.
- **Potential Race Condition** [MEDIUM]: Shared data accessed from goroutines without synchronization.
- **WaitGroup Misuse** [HIGH]: Improper use of sync.WaitGroup can cause race conditions, panics, or deadlocks.
Common issues include calling Add() inside goroutines and Done() count mismatches.

### Code Injection (CWE-94)

- **Code Injection via os/exec** [CRITICAL]: Detects user input flowing to template functions that bypass HTML escaping.
- **LLM Insecure Output Handling** [HIGH]: Detects LLM outputs used directly in dangerous operations like command execution or SQL queries without validation.
- **Server-Side Template Injection** [CRITICAL]: User input passed directly to template.Parse without sanitization.

### CWE-306 (CWE-306)

- **Echo Missing JWT Middleware** [HIGH]: API endpoints lack JWT authentication middleware protection.
- **Fiber Missing JWT Middleware** [HIGH]: API endpoints lack JWT authentication middleware protection.
- **Gin Missing JWT Middleware** [HIGH]: API endpoints lack JWT authentication middleware protection.

### CWE-319 (CWE-319)

- **Echo Running Without TLS** [HIGH]: Echo server running over HTTP instead of HTTPS.
- **Fiber Running Without TLS** [HIGH]: Fiber server running over HTTP instead of HTTPS.
- **Gin Running Without TLS** [LOW]: Gin server running over HTTP instead of HTTPS.

### Resource Exhaustion (CWE-400)

- **LLM Denial of Service** [MEDIUM]: Detects AI/LLM API calls lacking token limits or input validation that could enable denial of service.
- **Missing Request Size Limits** [MEDIUM]: Request body read without size limit using ioutil.ReadAll or io.ReadAll.
- **Denial of Service via Resource Exhaustion** [MEDIUM]: Unbounded goroutines, missing timeouts, or unchecked allocations from user input.

### CWE-489 (CWE-489)

- **Echo Debug Mode in Production** [MEDIUM]: Echo debug mode exposes stack traces and verbose errors in production.
- **Fiber Debug Mode in Production** [MEDIUM]: Fiber debug configuration exposes route structure and stack traces.
- **Gin Debug Mode in Production** [MEDIUM]: Gin debug mode exposes routing info and verbose errors in production.

### Authorization Bypass Through User-Controlled Key (CWE-639)

- **Horizontal Privilege Escalation** [HIGH]: Detects horizontal privilege escalation where users can access or modify other users' resources.
- **Insecure Direct Object Reference (IDOR)** [HIGH]: Detects IDOR vulnerabilities where user-supplied IDs access resources without authorization checks.
- **Potential IDOR - Generic Data Access** [MEDIUM]: Detects route parameters flowing to data access without visible ownership verification.

### Path Traversal (CWE-22)

- **Path Traversal via File Operations** [HIGH]: User input flows to file operations like os.Open without path validation.
- **Zip Slip / Path Traversal in Archive** [HIGH]: Archive extraction uses filename without validating it stays within target directory.

### Deserialization of Untrusted Data (CWE-502)

- **Insecure Deserialization** [HIGH]: Detects truly dangerous deserialization in Go. Unlike Java or Python, Go's encoding/json
is safe (data-only parsing, no code execution). This rule focuses on:
- gob.Decoder: Can instantiate arbitrary types, potential RCE (CRITICAL)
- json/yaml/xml to interface{}: Type confusion risk when combined with untrusted input (MEDIUM)

Note: json.Unmarshal to typed structs is NOT flagged as it cannot execute code.
- **LLM Training Data Poisoning** [HIGH]: Detects untrusted data flowing into AI/LLM fine-tuning or training processes without validation.

### Injection (CWE-74)

- **AI Prompt Injection** [HIGH]: Detects user input flowing to LLM prompts without sanitization.

### OS Command Injection (CWE-78)

- **Command Injection via os/exec** [CRITICAL]: Detects user input flowing to os/exec command execution, enabling OS command injection.

### SQL Injection (CWE-89)

- **SQL Injection via Database Queries** [CRITICAL]: Detects user input flowing to SQL queries without parameterization.

### LDAP Injection (CWE-90)

- **LDAP Injection** [HIGH]: Detects user input flowing to LDAP queries without proper escaping.

### CWE-93 (CWE-93)

- **Email Header Injection** [HIGH]: User input flows into email headers without CRLF validation.

### HTTP Response Splitting (CWE-113)

- **HTTP Header Injection** [MEDIUM]: Detects user input flowing to HTTP headers without CRLF sanitization.

### Log Injection (CWE-117)

- **Log Injection / Log Forging** [MEDIUM]: Detects unsanitized user input flowing into log statements, enabling log forging attacks.

### CWE-176 (CWE-176)

- **Unicode Normalization Security Issues** [MEDIUM]: Security-sensitive string comparison without Unicode normalization.

### CWE-190 (CWE-190)

- **Integer Overflow via Unchecked Arithmetic** [MEDIUM]: User-controlled integer used in arithmetic or allocation without bounds checking.

### CWE-201 (CWE-201)

- **Credential Exfiltration via User-Controlled Endpoint** [CRITICAL]: Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests
to user-controlled endpoints. This allows attackers to exfiltrate server credentials
by providing a malicious webhook URL that captures the sensitive headers or body data.

Example vulnerable pattern:
```go
// User controls 'endpoint' from request
endpoint := r.FormValue("webhook_url")

// Server sends its internal API key to attacker-controlled URL
req, _ := http.NewRequest("POST", endpoint, nil)
req.Header.Set("X-API-Key", os.Getenv("INTERNAL_API_KEY"))
client.Do(req)
```

This is different from standard SSRF (which accesses internal resources) - here the attacker
exfiltrates server credentials to their own controlled endpoint.

### Error Message Information Leak (CWE-209)

- **Database Error Information Exposure in HTTP Response** [MEDIUM]: Internal error messages or stack traces exposed to users in HTTP responses.

### Unchecked Return Value (CWE-252)

- **Unchecked Error Return Values** [MEDIUM]: Error return value ignored using blank identifier (_).

### Improper Access Control (CWE-284)

- **LLM Insecure Plugin Design** [HIGH]: Detects insecure plugin/function calling implementations in AI/LLM systems without proper validation.

### Improper Certificate Validation (CWE-295)

- **Insecure TLS/SSL Configuration** [HIGH]: TLS config uses InsecureSkipVerify, weak TLS version, or deprecated ciphers.

### Broken Cryptographic Algorithm (CWE-327)

- **Use of Weak Cryptographic Algorithm** [HIGH]: Uses MD5, SHA1, DES, or RC4 which are cryptographically broken.

### CWE-330 (CWE-330)

- **Non-deterministic Map Iteration** [MEDIUM]: Converts map to slice without sorting, producing non-deterministic output.

### Weak PRNG (CWE-338)

- **Weak Random Number Generation for Security** [HIGH]: Uses math/rand for security tokens, keys, or session IDs instead of crypto/rand.

### Improper Signature Verification (CWE-347)

- **JWT Security Vulnerabilities** [HIGH]: JWT allows "none" algorithm, uses weak secret, or lacks expiration.

### Cross-Site Request Forgery (CWE-352)

- **Missing CSRF Protection (Gin)** [HIGH]: State-changing endpoints lack CSRF token protection.

### Session Fixation (CWE-384)

- **Insecure Session Management** [HIGH]: Session IDs use predictable values or cookies lack Secure/HttpOnly flags.

### CWE-391 (CWE-391)

- **Empty Error Handling** [LOW]: Error check block is empty, silently swallowing errors.

### Unrestricted File Upload (CWE-434)

- **Unsafe File Upload** [HIGH]: File upload processed without type validation, size limits, or filename sanitization.

### CWE-476 (CWE-476)

- **Unsafe Type Assertion Without Ok Check** [MEDIUM]: Type assertion without two-value form can panic at runtime.

### Weak Password Requirements (CWE-521)

- **Weak Password Policy** [MEDIUM]: Password validation requires fewer than 8 characters.

### CWE-526 (CWE-526)

- **Environment Variable Exposure** [HIGH]: Environment variables logged or included in HTTP responses.

### Information Exposure Through Logs (CWE-532)

- **Logging Sensitive Data** [MEDIUM]: Passwords, tokens, or PII logged via log.Printf or similar functions.

### Open Redirect (CWE-601)

- **Open Redirect** [MEDIUM]: User-controlled input used in http.Redirect without URL validation.

### XXE (CWE-611)

- **XML External Entity (XXE) Injection** [HIGH]: User-controlled XML parsed without disabling external entities.

### CWE-636 (CWE-636)

- **Failing Open on Error** [HIGH]: Security validation returns true/grants access when an error occurs.

### Weak Password Recovery (CWE-640)

- **Weak Password Reset Token** [HIGH]: Password reset token uses predictable values like timestamps or math/rand.

### CWE-667 (CWE-667)

- **Mutex Misuse** [HIGH]: Improper use of sync.Mutex or sync.RWMutex can cause deadlocks, data races,
or performance issues. Common issues include missing Unlock, defer in loops,
and copying mutex values.

### CWE-755 (CWE-755)

- **Incomplete Error Handling** [MEDIUM]: Function returns error but caller does not check err != nil.

### Hardcoded Credentials (CWE-798)

- **Hardcoded Secrets in Source Code** [CRITICAL]: API keys, passwords, or tokens hardcoded in source code.

### Inclusion of Untrusted Functionality (CWE-829)

- **LLM Supply Chain Vulnerabilities** [HIGH]: Detects supply chain vulnerabilities in AI/LLM implementations such as untrusted model sources or dynamic model loading.

### CWE-833 (CWE-833)

- **Channel Misuse** [HIGH]: Improper channel usage can cause deadlocks, goroutine leaks, or panics.
Common issues include send/receive on unbuffered channel in same goroutine,
not closing channels, and sending on closed channels.

### CWE-840 (CWE-840)

- **Business Logic Bypass** [HIGH]: Client-controlled financial values flow to payment operations without server-side calculation.

### Missing Authorization (CWE-862)

- **LLM Excessive Agency** [HIGH]: Detects LLM implementations with excessive autonomy allowing destructive operations without human approval.

### Server-Side Request Forgery (CWE-918)

- **Server-Side Request Forgery (SSRF)** [HIGH]: Detects user input flowing to HTTP client requests, enabling Server-Side Request Forgery attacks.

### NoSQL Injection (CWE-943)

- **NoSQL Injection** [HIGH]: Detects user input flowing to MongoDB or Redis queries without proper validation.

### ReDoS (CWE-1333)

- **Regular Expression Denial of Service** [MEDIUM]: Regex pattern with nested quantifiers causes catastrophic backtracking.