Broken Authorization in Go Lang
Even though Go does not provide native solutions to this problem, third-party frameworks may offer dedicated approaches to implement robust access control mechanisms.
Vulnerable Example
As an example, consider a handler from the echo Go framework that performs some kind of action for authenticated users:
e := echo.New()
e.POST("/action/:id", ActionHandler, authenticationMiddleware)
The above ensures that ActionHandler
can only be executed by authenticated users, but it may not be enough. In fact, a proper authorization must be enforced in order to avoid a bypass as shown in the following implementation:
func ActionHandler(c echo.Context) error {
id := c.Param("id")
resource := getResourceBy("id")
resource.Action()
return c.String(http.StatusOK, "OK")
}
When implementating ActionHandler
, developers should ensure access control checks are performed, for example by restricting access only to the owner of the resource:
func ActionHandler(c echo.Context) error {
id := c.Param("id")
resource := getResourceBy("id")
if resource.Owner() != getOwnerFromContext(c) {
return c.String(http.StatusUnauthorized, "Action not authorizated")
}
resource.Action()
return c.String(http.StatusOK, "OK")
}
References
MITRE - CWE 285 - Improper Authorization OWASP Top 10 2017 - Broken Access Control OWSP - Access Control Cheat Sheet