Skip to content

Latest commit

 

History

History
265 lines (207 loc) · 13.2 KB

mitigations.md

File metadata and controls

265 lines (207 loc) · 13.2 KB

Mitigation Strategies Analysis for zeromicro/go-zero

Mitigation Strategy: Strict Route Definition (using go-zero's routing)

Mitigation Strategy: Strict Route Definition

Description:

  1. Review *.api Files: Examine all *.api files for wildcard routes (*) or overly broad path parameters.
  2. Refactor to Explicit Paths: Replace wildcards with specific paths. Example: /api/items/* becomes /api/items/{itemID} and /api/items.
  3. Route Grouping (group): Use go-zero's group feature in *.api files to logically organize routes and apply middleware consistently. 
    @server(
    group: user
    prefix: /api/v1/users
    middleware: AuthMiddleware
)
service user-api {
    @handler getUser
    get /{userID} (GetUserReq) returns (GetUserResp)
}
  4. (Ideal - but requires custom tooling): Integrate a script into your CI/CD pipeline to analyze *.api files for dangerous route patterns. This is not a built-in go-zero feature, but leverages the structure of *.api files.

Threats Mitigated:

  • Unintended Endpoint Exposure (High Severity): Prevents access to internal APIs or administrative endpoints.
  • Information Disclosure (Medium Severity): Reduces risk of leaking data through poorly defined routes.
  • Bypassing Authentication/Authorization (High Severity): Ensures protected routes have middleware.

Impact:

  • Unintended Endpoint Exposure: Risk significantly reduced (High to Low).
  • Information Disclosure: Risk reduced (Medium to Low).
  • Bypassing Authentication/Authorization: Risk significantly reduced (High to Low, if middleware is correctly used).

Currently Implemented: Partially. user-api uses specific paths. product-api has wildcards. No CI/CD analysis.

Missing Implementation:

  • product-api: Refactor wildcard routes.
  • CI/CD: Implement automated route analysis (custom tooling).

Mitigation Strategy: Authentication and Authorization (using go-zero's middleware)

Mitigation Strategy: Authentication and Authorization Enforcement (via Middleware)

Description:

  1. Identify Protected Routes: Determine which endpoints need authentication and authorization.
  2. jwtx Middleware (or Custom): Use go-zero's jwtx middleware (or a custom one) in your *.api file to validate JWTs. Configure globally or on route groups: 
    @server(
    middleware: AuthMiddleware // Global
)
service my-api { ... }

@server(
    group: protected
    middleware: AuthMiddleware // Group-specific
)
service my-api { ... }
  3. Authorization within Handlers (Not Directly go-zero): While go-zero provides the mechanism for authentication (middleware), the authorization logic (checking permissions) must be implemented within your handlers. This is not a direct go-zero feature, but it's enabled by the middleware.
  4. Consistent Application: Ensure every protected route has authentication middleware.

Threats Mitigated:

  • Unauthorized Access (High Severity): Prevents unauthenticated access.
  • Bypassing Authentication (High Severity): Ensures authentication checks are performed.
  • (Indirectly) Privilege Escalation (High Severity): The middleware enables authorization checks in handlers, which mitigate this.

Impact:

  • Unauthorized Access: Risk significantly reduced (High to Low).
  • Bypassing Authentication: Risk significantly reduced (High to Low).
  • Privilege Escalation: Risk reduced indirectly (High to Low, dependent on handler logic).

Currently Implemented: jwtx middleware is implemented globally.

Missing Implementation: Authorization checks within handlers are inconsistent (see previous, more complete list). This is not a go-zero feature gap, but a handler implementation gap.

Mitigation Strategy: Input Validation (using go-zero's validate tag)

Mitigation Strategy: Input Validation (via validate tag)

Description:

  1. Request Structs: Define request structs for all API endpoints.
  2. validate Tag: Use the validate tag in your request structs to specify validation rules: 
    type CreateUserReq struct {
    Username string `json:"username" validate:"required,min=3,max=20"`
    Email    string `json:"email" validate:"required,email"`
}
  3. Automatic Validation: go-zero automatically validates requests against these rules before handlers are executed.
  4. (Not Directly go-zero): Handler-level validation is still recommended for complex business rules.

Threats Mitigated:

  • Injection Attacks (High Severity): Prevents many injection attacks (SQL, NoSQL, command, XSS - if combined with output encoding).
  • Data Corruption (Medium Severity): Prevents invalid data.
  • Denial of Service (DoS) (Medium Severity): Helps prevent DoS attacks exploiting input parsing.
  • Business Logic Errors (Medium Severity): Prevents errors from invalid input.

Impact:

  • Injection Attacks: Risk significantly reduced (High to Low/Medium).
  • Data Corruption: Risk reduced (Medium to Low).
  • Denial of Service: Risk reduced (Medium to Low/Medium).
  • Business Logic Errors: Risk reduced (Medium to Low).

Currently Implemented: validate tags are used in most request structs.

Missing Implementation:

  • product-api: Some request structs are missing validate tags.
  • Handler-level validation is inconsistent (not a go-zero feature gap).

Mitigation Strategy: Rate Limiting (using go-zero's ratelimit middleware)

Mitigation Strategy: Rate Limiting (via ratelimit Middleware)

Description:

  1. Identify Targets: Determine which endpoints need rate limiting.
  2. ratelimit Middleware: Use go-zero's ratelimit middleware in your *.api file: 
    @server(
    middleware: RateLimitMiddleware
)
service my-api { ... }
  3. Configuration: Configure limit, burst, period, and key within the middleware.
  4. (Not Directly go-zero): Differentiated limits (per endpoint, user role, etc.) require custom logic, often within the key function or by using multiple instances of the middleware.
  5. (Not Directly go-zero): Informative error responses (429 Too Many Requests, Retry-After header) are best practice, but require custom handler logic.

Threats Mitigated:

  • Denial of Service (DoS) (High Severity): Protects against DoS attacks.
  • Brute-Force Attacks (Medium Severity): Helps prevent brute-force attacks.
  • Resource Exhaustion (Medium Severity): Prevents resource consumption.
  • API Abuse (Medium Severity): Prevents abusive clients.

Impact:

  • Denial of Service: Risk significantly reduced (High to Low/Medium).
  • Brute-Force Attacks: Risk reduced (Medium to Low).
  • Resource Exhaustion: Risk reduced (Medium to Low).
  • API Abuse: Risk reduced (Medium to Low).

Currently Implemented: ratelimit middleware is implemented globally.

Missing Implementation:

  • Differentiated rate limits (not a direct go-zero feature).
  • Informative error responses (not a direct go-zero feature).

Mitigation Strategy: Circuit Breaker (using go-zero's breaker middleware)

Mitigation Strategy: Circuit Breaker (via breaker Middleware)

Description:

  1. Identify Targets: Determine which endpoints need circuit breaker. Usually it is used for external services calls.
  2. breaker Middleware: Use go-zero's breaker middleware in your *.api file: go @server( middleware: BreakerMiddleware ) service my-api { ... }
  3. Configuration: Configure circuit breaker parameters.

Threats Mitigated:

  • Cascading Failures (High Severity): Prevents failures in one service from cascading to other services.
  • Service Unavailability (High Severity): Improves service resilience by preventing requests to failing services.

Impact:

  • Cascading Failures: Risk significantly reduced (High to Low/Medium).
  • Service Unavailability: Risk reduced (High to Low).

Currently Implemented: Not implemented.

Missing Implementation:

  • Implement breaker middleware for external services calls.

Mitigation Strategy: Timeout (using go-zero's timeout middleware)

Mitigation Strategy: Timeout (via timeout Middleware)

Description:

  1. Identify Targets: Determine which endpoints need timeout.
  2. timeout Middleware: Use go-zero's timeout middleware in your *.api file: 
    @server(
    middleware: TimeoutMiddleware
)
service my-api { ... }
  3. Configuration: Configure timeout parameters.

Threats Mitigated:

  • Resource Exhaustion (Medium Severity): Prevents long-running requests from blocking resources.
  • Service Unavailability (High Severity): Improves service resilience by preventing requests to hang indefinitely.

Impact:

  • Resource Exhaustion: Risk reduced (Medium to Low).
  • Service Unavailability: Risk reduced (High to Low).

Currently Implemented: Not implemented.

Missing Implementation:

  • Implement timeout middleware for all endpoints.

Mitigation Strategy: Configuration Loading (using go-zero's config)

Mitigation Strategy: Secure Configuration Loading

Description:

  1. Define Configuration Struct: Create a Go struct that represents your application's configuration.
  2. Use conf.MustLoad: Use the conf.MustLoad function (or conf.Load) from go-zero's core/conf package to load configuration from a file (YAML, JSON, TOML). 
    var c Config
conf.MustLoad("etc/my-api.yaml", &c)
  3. Environment Variable Overrides: Use the env tag in your configuration struct to allow environment variables to override values from the configuration file. This is crucial for secrets. 
    type Config struct {
    Database struct {
        Host     string `yaml:"host"`
        Port     int    `yaml:"port"`
        User     string `yaml:"user"`
        Password string `yaml:"password" env:"DB_PASSWORD"` // Override from env
    } `yaml:"database"`
}
  4. (Not Directly go-zero): For production, use a secrets management service (Vault, AWS Secrets Manager, etc.) and inject secrets into environment variables. go-zero's env tag support makes this integration seamless.

Threats Mitigated:

  • Credential Exposure (High Severity): The env tag, when used with environment variables and a secrets manager, significantly reduces this risk. go-zero provides the mechanism for secure loading.
  • Configuration Errors (Low Severity): conf.MustLoad helps ensure that the configuration file is valid and can be parsed.

Impact:

  • Credential Exposure: Risk significantly reduced (High to Low, when used correctly).
  • Configuration Errors: Risk reduced (Low to Negligible).

Currently Implemented: conf.MustLoad is used. Environment variables are used for some secrets.

Missing Implementation:

  • Consistent use of environment variables for all secrets.
  • Integration with a secrets management service (not a go-zero feature gap).

Mitigation Strategy: Logging (using go-zero's logx)

Mitigation Strategy: Structured Logging (via logx)

Description:

  1. Use logx: Use go-zero's logx package for all logging.
  2. Structured Logging: Use logx.WithContext(ctx).Infof(...) or similar methods to log in a structured (JSON) format. Include relevant context: 
    logx.WithContext(ctx).Infow("User logged in", logx.Field("userID", userID))
  3. Log Levels: Use appropriate log levels (debug, info, warn, error, fatal).
  4. (Not Directly go-zero): Log aggregation, monitoring, and alerting are crucial, but they are external to go-zero. go-zero provides the logging mechanism.

Threats Mitigated:

  • (Indirectly) Intrusion Detection (Medium Severity): Structured logs enable better intrusion detection when combined with log analysis tools.
  • (Indirectly) Incident Response (Medium Severity): Structured logs provide valuable information for investigations.

Impact:

  • Intrusion Detection: Risk reduced indirectly (Medium to Low/Medium).
  • Incident Response: Risk reduced indirectly (Medium to Low/Medium).

Currently Implemented: logx is used, but not always with structured logging.

Missing Implementation:

  • Consistent use of structured logging with logx.WithContext.
  • Log aggregation, monitoring, and alerting (not go-zero features).