Go

Go

Made by DeepSource

Audit required: Incomplete regular expression for hostname GO-S1016

Security
Major
a03 cwe-20 sans top 25 owasp top 10

Dealing with untrusted URLs may allow attacks such as request forgeries and malicious redirections unless they are sanitized. Regular expressions are often used to check the hosts or match them against a set of allowed hosts to prevent such attacks. It is recommended to escape the regular expression's meta characters correctly and make the expression restrictive (or permissive) as much as possible.

Recommendations to avoid such attacks: - It is easy to accidentally make the regular expression too permissive (or restrictive) by not escaping regular-expression meta-characters such as .. The expression should be carefully audited.

  • The expression should be audited to validate if regex is permitting and restricting the correct URLs.

  • Even if the regular expression used for matching is not used in a security-critical context, it may still cause undesirable behavior when it accidentally succeeds.

Bad practice

func do(req *http.Request) {
    // NOTE: The host of `req.URL` may be controlled by an attacker
    re := "^((www|status).)?deepsource.io/"
    if matched, _ := regexp.MatchString(re, req.URL.Host); matched {
        // Do something
    }
}

The check is very easy to bypass because the unescaped . allows for any character before and after deepsource, allowing to go to an attacker-controlled domain such as statusXdeepsource.io/

Recommended

func do(req *http.Request) {
    // NOTE: The host of `req.URL` may be controlled by an attacker
    // The `.` is escaped now in the regex.
    // The host of `req.URL` now must be `deepsource.io/`, `www.deepsource.io/` or `status.deepsource.io/`
    re := "^((www|status)\.)?deepsource\.io/"
    if matched, _ := regexp.MatchString(re, req.URL.Host); matched {
        // Do something
    }
}

References