Broken Authorization in Go Lang

Even though Go does not provide native solutions to this problem, third-party frameworks may offer dedicated approaches to implement robust access control mechanisms.

Vulnerable Example

As an example, consider a handler from the echo Go framework that performs some kind of action for authenticated users:

e := echo.New()
e.POST("/action/:id", ActionHandler, authenticationMiddleware)

The above ensures that ActionHandler can only be executed by authenticated users, but it may not be enough. In fact, a proper authorization must be enforced in order to avoid a bypass as shown in the following implementation:

func ActionHandler(c echo.Context) error {
    id := c.Param("id")
    resource := getResourceBy("id")
    resource.Action()
    return c.String(http.StatusOK, "OK")
}

When implementating ActionHandler, developers should ensure access control checks are performed, for example by restricting access only to the owner of the resource:

func ActionHandler(c echo.Context) error {
    id := c.Param("id")
    resource := getResourceBy("id")

    if resource.Owner() != getOwnerFromContext(c) {
        return c.String(http.StatusUnauthorized, "Action not authorizated")
    }

    resource.Action()
    return c.String(http.StatusOK, "OK")
}

References

MITRE - CWE 285 - Improper Authorization OWASP Top 10 2017 - Broken Access Control OWSP - Access Control Cheat Sheet