-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathbuiltin.go
More file actions
161 lines (130 loc) · 4.3 KB
/
builtin.go
File metadata and controls
161 lines (130 loc) · 4.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
package main
//go:generate depstubber -vendor github.com/gorilla/websocket Dialer
//go:generate depstubber -vendor golang.org/x/net/websocket "" Dial,NewConfig,DialConfig
import (
"context"
"fmt"
"log"
"net/http"
"net/url"
"regexp"
"strings"
gorilla "github.com/gorilla/websocket"
"golang.org/x/net/websocket"
)
func handler(w http.ResponseWriter, req *http.Request) {
target := req.FormValue("target") // $ Source
// BAD: `target` is controlled by the attacker
_, err := http.Get("https://" + target + ".example.com/data/") // $ Alert
if err != nil {
// error handling
}
// process request response
}
func handler1(w http.ResponseWriter, req *http.Request) {
target := req.FormValue("target")
var subdomain string
if target == "EU" {
subdomain = "europe"
} else {
subdomain = "world"
}
// GOOD: `subdomain` is controlled by the server
_, err := http.Get("https://" + subdomain + ".example.com/data/")
if err != nil {
// error handling
}
// process request response
}
func test() {
http.HandleFunc("/ex0", func(w http.ResponseWriter, r *http.Request) {
untrustedInput := r.Referer()
origin := "http://localhost/"
untrustedInputTrimmed := strings.TrimRight(untrustedInput, "\n\r")
if untrustedInputTrimmed == "ws://localhost:12345/ws" {
// good as input is checked against fixed set of urls.
ws, _ := websocket.Dial(untrustedInputTrimmed, "", origin) // OK
var msg = make([]byte, 512)
var n int
n, _ = ws.Read(msg)
fmt.Printf("Received: %s.\n", msg[:n])
}
})
// x net websocket DialConfig good
http.HandleFunc("/ex1", func(w http.ResponseWriter, r *http.Request) {
untrustedInput := r.Referer()
origin := "http://localhost/"
// good as input is tested against a regex
if m, _ := regexp.MatchString("ws://localhost:12345/*", untrustedInput); m {
config, _ := websocket.NewConfig(untrustedInput, origin) // OK? Regex
ws2, _ := websocket.DialConfig(config)
var msg = make([]byte, 512)
var n int
n, _ = ws2.Read(msg)
fmt.Printf("Received: %s.\n", msg[:n])
}
})
// x net websocket dial bad
http.HandleFunc("/ex2", func(w http.ResponseWriter, r *http.Request) {
untrustedInput := r.Referer() // $ Source
origin := "http://localhost/"
// bad as input is directly passed to dial function
ws, _ := websocket.Dial(untrustedInput, "", origin) // $ Alert
var msg = make([]byte, 512)
var n int
n, _ = ws.Read(msg)
fmt.Printf("Received: %s.\n", msg[:n])
})
// x net websocket dialConfig bad
http.HandleFunc("/ex3", func(w http.ResponseWriter, r *http.Request) {
untrustedInput := r.Referer() // $ Source
origin := "http://localhost/"
// bad as input is directly used
config, _ := websocket.NewConfig(untrustedInput, origin) // $ Sink
ws2, _ := websocket.DialConfig(config) // $ Alert
var msg = make([]byte, 512)
var n int
n, _ = ws2.Read(msg)
fmt.Printf("Received: %s.\n", msg[:n])
})
// gorilla websocket Dialer.Dial bad
http.HandleFunc("/ex6", func(w http.ResponseWriter, r *http.Request) {
untrustedInput := r.Referer() // $ Source
dialer := gorilla.Dialer{}
dialer.Dial(untrustedInput, r.Header) // $ Alert
})
// gorilla websocket Dialer.Dial good
http.HandleFunc("/ex7", func(w http.ResponseWriter, r *http.Request) {
untrustedInput := r.Referer()
if untrustedInput == "localhost" {
dialer := gorilla.Dialer{}
dialer.Dial(untrustedInput, r.Header) //OK
}
})
// gorilla websocket Dialer.DialContext bad
http.HandleFunc("/ex8", func(w http.ResponseWriter, r *http.Request) {
untrustedInput := r.Referer() // $ Source
dialer := gorilla.Dialer{}
dialer.DialContext(context.TODO(), untrustedInput, r.Header) // $ Alert
})
// gorilla websocket Dialer.DialContext good
http.HandleFunc("/ex9", func(w http.ResponseWriter, r *http.Request) {
untrustedInput := r.Referer()
if untrustedInput == "localhost" {
dialer := gorilla.Dialer{}
dialer.DialContext(context.TODO(), untrustedInput, r.Header) //OK
}
})
log.Println(http.ListenAndServe(":80", nil))
}
func handler2(w http.ResponseWriter, req *http.Request) {
unsafehost := req.FormValue("host") // $ Source
url, _ := url.Parse("http://example.com/data")
url.Host = unsafehost
// BAD: `target` is controlled by the attacker
_, err := http.Get(url.String()) // $ Alert
if err != nil {
// error handling
}
// process request response
}