Skip to content

Latest commit

 

History

History
61 lines (50 loc) · 5.92 KB

attack-surface.md

File metadata and controls

61 lines (50 loc) · 5.92 KB

Attack Surface Analysis for zeromicro/go-zero

Attack Surface: Unprotected Internal Service Exposure

  • Description: Internal services or administrative endpoints are exposed due to misconfiguration of go-zero's routing and API gateway.
  • go-zero Contribution: go-zero's automatic route generation and .api file configuration are the direct mechanisms that, if misused, lead to this exposure. The framework's design choices necessitate careful route management.
  • Example: An endpoint /api/internal/admin/users is exposed because of a wildcard route (/api/internal/*) in the go-zero .api file.
  • Impact: Unauthorized access to sensitive data, system compromise, data modification, denial of service.
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Explicit Route Definitions: Define all routes explicitly in go-zero's .api files. Avoid overly broad wildcards. Review all routes.
    • Mandatory Authentication/Authorization (go-zero Middleware): Use go-zero's middleware system to enforce authentication and authorization at the gateway level for every route, including internal ones.
    • Regular Audits: Audit the go-zero API gateway configuration and routing rules regularly.

Attack Surface: Middleware Bypass

  • Description: Attackers bypass security controls implemented in go-zero middleware.
  • go-zero Contribution: This is directly related to go-zero's middleware system. The vulnerability arises from how developers use or misuse this core go-zero feature.
  • Example: Authentication middleware is placed after logging middleware in the go-zero configuration, leading to sensitive data being logged before authentication.
  • Impact: Unauthorized access, data breaches, privilege escalation, logging of sensitive information.
  • Risk Severity: High
  • Mitigation Strategies:
    • Middleware Ordering (go-zero Configuration): Carefully plan and enforce the correct order of middleware within go-zero's configuration. Authentication/authorization must come first.
    • Middleware Auditing: Thoroughly audit the code and configuration of all middleware used with go-zero (custom and third-party).
    • Secure Coding Practices (go-zero Middleware): Follow secure coding practices when developing custom go-zero middleware.

Attack Surface: Unvalidated gRPC Input (go-zero gRPC Support)

  • Description: Attackers exploit weaknesses in input validation within go-zero gRPC service handlers.
  • go-zero Contribution: go-zero's built-in support for gRPC is the direct enabler of this attack surface. While Protobuf provides type checking, content validation is the developer's responsibility within the go-zero context.
  • Example: A go-zero gRPC service receives a malicious payload that bypasses basic Protobuf type checks but causes an error within the handler logic.
  • Impact: Denial of service, data corruption, unexpected application behavior.
  • Risk Severity: High
  • Mitigation Strategies:
    • Protobuf Validation (with go-zero): Use Protobuf validation libraries (e.g., protoc-gen-validate) in conjunction with go-zero's gRPC implementation.
    • Handler-Level Validation (go-zero gRPC Handlers): Implement thorough input validation within each go-zero gRPC service handler, even with Protobuf validation.

Attack Surface: Rate Limiting Bypass / DoS (go-zero ratelimit Middleware)

  • Description: Attackers bypass go-zero's built-in rate limiting or cause a denial of service.
  • go-zero Contribution: This attack surface is directly related to go-zero's ratelimit middleware. The vulnerability stems from its configuration and potential bypasses.
  • Example: An attacker bypasses the go-zero ratelimit middleware due to misconfiguration or by using a distributed attack.
  • Impact: Service unavailability, performance degradation.
  • Risk Severity: High
  • Mitigation Strategies:
    • Robust Rate Limiting Configuration (go-zero ratelimit): Carefully configure go-zero's ratelimit middleware with appropriate thresholds and time windows for each endpoint.
    • Multi-Layered Rate Limiting: Implement rate limiting at multiple layers (consider external tools in addition to go-zero).

Attack Surface: Sensitive Data in Configuration/Logs (go-zero Configuration and Logging)

  • Description: Sensitive information is stored insecurely in go-zero configuration files or logged by go-zero's logging system.
  • go-zero Contribution: This is directly related to how developers use go-zero's configuration (YAML files) and logging features. The framework provides these mechanisms, and their misuse creates the vulnerability.
  • Example: A database password is hardcoded in a go-zero config.yaml file, or sensitive data is logged using go-zero's logger at the DEBUG level.
  • Impact: Data breaches, unauthorized access, system compromise.
  • Risk Severity: Critical
  • Mitigation Strategies:
    • Environment Variables (with go-zero): Use environment variables for sensitive data, leveraging go-zero's support for loading configuration from them.
    • Log Sanitization (go-zero Logging Middleware): Customize go-zero's logging middleware to redact or mask sensitive data before logging.
    • Log Level Control (go-zero Logging): Use appropriate log levels in go-zero (avoid DEBUG in production).
    • .gitignore: Exclude go-zero configuration files containing sensitive data from version control.