Skip to content

Latest commit

 

History

History
67 lines (58 loc) · 5.71 KB

threat-modeling.md

File metadata and controls

67 lines (58 loc) · 5.71 KB

Threat Model Analysis for gorilla/mux

Threat: Threat: Unexpected Route Matching (Path Traversal/Confusion)

  • Description: An attacker crafts a malicious URL containing special characters (e.g., ../, %2e%2e%2f, encoded slashes) or unexpected patterns. These exploit poorly defined regular expressions or path variable handling within mux's route definitions. The attacker aims to bypass intended access controls, reach unintended handlers, or access files outside the intended directory, leveraging mux's routing logic.
    • Impact:
      • Unauthorized access to sensitive data or functionality.
      • Execution of unintended code (if the handler is reached).
      • Potential for server-side request forgery (SSRF).
      • Information disclosure.
    • Affected Component:
      • mux.Router.HandleFunc() and related methods (e.g., Handle(), Path(), PathPrefix()) specifically when used with regular expressions or path variables.
      • The regular expression engine within mux (Go's regexp package) as used by mux for route matching.
      • mux's path variable extraction logic.
    • Risk Severity: High to Critical.
    • Mitigation Strategies:
      • Use strict, well-defined regular expressions. Avoid overly permissive patterns.
      • Employ StrictSlash(true) to enforce consistent trailing slash behavior.
      • Validate and sanitize all path variable inputs within the handler after the route matches (defense in depth, even though mux does some parsing). Do not rely solely on the route matcher.
      • Use mux.Vars(r) to safely retrieve path variables.
      • Extensive testing, including fuzz testing, with a focus on path traversal payloads.
      • Avoid complex nested routers.

Threat: Threat: HTTP Method Confusion

  • Description: An attacker sends a request using an unexpected HTTP method (e.g., POST instead of GET, or a custom method) to a route. The route might be defined in mux for a different method, but the handler doesn't check, or mux isn't configured to enforce methods. The attacker bypasses security checks implemented only for the intended method(s) or triggers unexpected behavior. This exploits a lack of method enforcement within the context of how mux is used.
    • Impact:
      • Bypass of authentication or authorization checks.
      • Unexpected state changes.
      • Potential denial of service.
    • Affected Component:
      • mux.Router.HandleFunc() and related methods, specifically in how they are used (or not used) with .Methods().
      • mux.Router.Methods() - if not used, or used incorrectly, to restrict allowed methods. This is a direct mux feature.
    • Risk Severity: High.
    • Mitigation Strategies:
      • Always explicitly define allowed HTTP methods using .Methods("GET", "POST", ...) for each route within mux. This is the primary mitigation.
      • Within the handler, check r.Method (defense in depth, but the primary mitigation is correct mux usage).

Threat: Threat: Host/Scheme Confusion (Direct mux Misuse)

  • Description: An attacker manipulates the Host header or uses an unexpected scheme. The application incorrectly uses mux.Router.Host() or mux.Router.Scheme() for security-critical decisions (e.g., authorization, tenant isolation) instead of just routing. This is a direct misuse of mux features.
    • Impact:
      • Access to resources intended for a different domain/tenant.
      • Bypass of HTTPS enforcement (if mux.Scheme() is misused for security).
      • Incorrect authorization decisions.
    • Affected Component:
      • mux.Router.Host() and mux.Router.Scheme() - specifically when used inappropriately for security decisions instead of just routing.
    • Risk Severity: High.
    • Mitigation Strategies:
      • Use mux.Host() and mux.Scheme() for routing only. Never use them directly for security-critical decisions.
      • Validate the Host header against a known-good list within the handler, completely independent of mux's routing.
      • Enforce HTTPS using middleware before the mux router (this is a general best practice, but the direct mux threat is misusing Scheme()).

Threat: Threat: Regular Expression Denial of Service (ReDoS) within mux Route Matching

  • Description: An attacker crafts a malicious input string that exploits a poorly written regular expression within a mux route matcher. This causes excessive backtracking and CPU consumption, leading to a denial of service. This is a direct threat to mux's use of regular expressions.
    • Impact:
      • Denial of service.
      • Resource exhaustion.
    • Affected Component:
      • mux.Router.HandleFunc() and related methods (e.g., Path(), PathPrefix(), Queries()) specifically when they use vulnerable regular expressions within the route definition. This is the core issue.
    • Risk Severity: High.
    • Mitigation Strategies:
      • Avoid complex, nested regular expressions within mux route matchers. Favor simple, specific patterns.
      • Use a regular expression analysis tool.
      • Set a timeout on regular expression matching (this is a general Go best practice, but it's crucial when using regexes within mux for routing).